New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Considering Tor / Onion Routing / Orbot integration #825

Closed
wants to merge 8 commits into
base: master
from

Conversation

Projects
None yet
6 participants
@n8fr8

n8fr8 commented Jun 28, 2017

Greetings. I'm Nathan from Guardian Project and Tor Project, and I'm here at the Mozilla All-Hands this week. While we do ship a full Fennec/Tor-Browser based app called Orfox (https://github.com/guardianproject/orfox), we were also discussing with Mozilla folks today about some possible collaboration around Focus and GeckoView.

I hacked up this last night, and it is working well enough that I thought I would share. This is more of a "what if" pull request, but it is fully armed and operational. There is more to do (like detect the actual live ports Tor's SOCKS proxy is available on, instead of just the default one), but I think the user experience is fairly complete, and simple enough for Focus.

We have a time to meet with @snorp on Thursday, so I figured this could help seed that conversation a bit.

Cheers!

@tomrittervg tomrittervg referenced this pull request Jun 29, 2017

Open

Support Orbot (Tor) #66

@pocmo pocmo added the blocked label Jul 3, 2017

@pocmo

This comment has been minimized.

Show comment
Hide comment
@pocmo

pocmo Jul 3, 2017

Contributor

I really like this and would love to land the PR. However there are some blockers that we'd need to eliminate first.

The biggest blocker is that we are currently shipping the WebView based version of Focus. There's definitely some convincing (and additional code writing) to do until all stake holders accept a ~30 MB size increase and ship the GeckoView based version. Sooner or later we will hit other limitations of WebView though.

It seems like there are some hacks that add proxy support to WebView. However apparently WebView will still leak the user's IP and anonymous browsing with via Tor would be impossible. Do you know more about this? I'm wondering whether a WebView-based version with just onion routing and "restriction bypassing" would still be something that's worth shipping?

Contributor

pocmo commented Jul 3, 2017

I really like this and would love to land the PR. However there are some blockers that we'd need to eliminate first.

The biggest blocker is that we are currently shipping the WebView based version of Focus. There's definitely some convincing (and additional code writing) to do until all stake holders accept a ~30 MB size increase and ship the GeckoView based version. Sooner or later we will hit other limitations of WebView though.

It seems like there are some hacks that add proxy support to WebView. However apparently WebView will still leak the user's IP and anonymous browsing with via Tor would be impossible. Do you know more about this? I'm wondering whether a WebView-based version with just onion routing and "restriction bypassing" would still be something that's worth shipping?

@bbinto

This comment has been minimized.

Show comment
Hide comment
@bbinto

bbinto Jul 5, 2017

Contributor

Thanks Nathan for all your work, that all sounds exciting, and I do have to follow / support @pocmo concerns. We currently only support the WebView version in the Google Play Store. If we could make Tor work somehow with that version, I'd give it my +1 and consider adding this feature sooner than later.

Contributor

bbinto commented Jul 5, 2017

Thanks Nathan for all your work, that all sounds exciting, and I do have to follow / support @pocmo concerns. We currently only support the WebView version in the Google Play Store. If we could make Tor work somehow with that version, I'd give it my +1 and consider adding this feature sooner than later.

@n8fr8

This comment has been minimized.

Show comment
Hide comment
@n8fr8

n8fr8 Jul 5, 2017

We've worked with both DuckDuckGo and Facebook to support the various Android OS/SDK workarounds for WebView implementation that need to be done. All of the logic is wrapped up in neat utility classes like this one:
https://github.com/guardianproject/NetCipher/blob/826a2b76284e06580e4431750eff258bf7552880/libnetcipher/src/info/guardianproject/netcipher/web/WebkitProxy.java

However apparently WebView will still leak the user's IP

On this front, do you have a specific issue you are referring to? There are cases where the IP can be leaked through media player tags - is that what you mean?

Do you know more about this? I'm wondering whether a WebView-based version with just onion routing >and "restriction bypassing" would still be something that's worth shipping?

Yes. There is still value in providing access to .Onion address and to reduce opportunities for network censorship, filtering and surveillance. The trick is to communicate that effectively to users, meaning never say the word "anonymous".

n8fr8 commented Jul 5, 2017

We've worked with both DuckDuckGo and Facebook to support the various Android OS/SDK workarounds for WebView implementation that need to be done. All of the logic is wrapped up in neat utility classes like this one:
https://github.com/guardianproject/NetCipher/blob/826a2b76284e06580e4431750eff258bf7552880/libnetcipher/src/info/guardianproject/netcipher/web/WebkitProxy.java

However apparently WebView will still leak the user's IP

On this front, do you have a specific issue you are referring to? There are cases where the IP can be leaked through media player tags - is that what you mean?

Do you know more about this? I'm wondering whether a WebView-based version with just onion routing >and "restriction bypassing" would still be something that's worth shipping?

Yes. There is still value in providing access to .Onion address and to reduce opportunities for network censorship, filtering and surveillance. The trick is to communicate that effectively to users, meaning never say the word "anonymous".

@pocmo

This comment has been minimized.

Show comment
Hide comment
@pocmo

pocmo Jul 5, 2017

Contributor

We've worked with both DuckDuckGo and Facebook to support the various Android OS/SDK workarounds for WebView implementation that need to be done. All of the logic is wrapped up in neat utility classes like this one:
https://github.com/guardianproject/NetCipher/blob/826a2b76284e06580e4431750eff258bf7552880/libnetcipher/src/info/guardianproject/netcipher/web/WebkitProxy.java

Nice! That's exactly what I was looking for. :)

However apparently WebView will still leak the user's IP

On this front, do you have a specific issue you are referring to? There are cases where the IP can be leaked through media player tags - is that what you mean?

Yeah, I think I read something related to WebRTC - However I didn't do any research myself.

Yes. There is still value in providing access to .Onion address and to reduce opportunities for network censorship, filtering and surveillance.

That's interesting. When I saw that anonymity isn't possible with WebView I pretty much thought that's a deal breaker. I didn't think about the other use cases of Tor. Shipping this on top of WebView is definitely something that is (technically) doable in the short-term (assuming our product and UX teams agree). Switching to Gecko(View) will take some more time - and probably won't happen until we hit some more limitations of WebView.

The trick is to communicate that effectively to users, meaning never say the word "anonymous".

This will not be easy, I guess.

Contributor

pocmo commented Jul 5, 2017

We've worked with both DuckDuckGo and Facebook to support the various Android OS/SDK workarounds for WebView implementation that need to be done. All of the logic is wrapped up in neat utility classes like this one:
https://github.com/guardianproject/NetCipher/blob/826a2b76284e06580e4431750eff258bf7552880/libnetcipher/src/info/guardianproject/netcipher/web/WebkitProxy.java

Nice! That's exactly what I was looking for. :)

However apparently WebView will still leak the user's IP

On this front, do you have a specific issue you are referring to? There are cases where the IP can be leaked through media player tags - is that what you mean?

Yeah, I think I read something related to WebRTC - However I didn't do any research myself.

Yes. There is still value in providing access to .Onion address and to reduce opportunities for network censorship, filtering and surveillance.

That's interesting. When I saw that anonymity isn't possible with WebView I pretty much thought that's a deal breaker. I didn't think about the other use cases of Tor. Shipping this on top of WebView is definitely something that is (technically) doable in the short-term (assuming our product and UX teams agree). Switching to Gecko(View) will take some more time - and probably won't happen until we hit some more limitations of WebView.

The trick is to communicate that effectively to users, meaning never say the word "anonymous".

This will not be easy, I guess.

@tomrittervg

This comment has been minimized.

Show comment
Hide comment
@tomrittervg

tomrittervg Jul 5, 2017

The trick is to communicate that effectively to users, meaning never say the word "anonymous".

This will not be easy, I guess.

Yea. But it's not without precedent. Opera supports a VPN mode on desktop and mobile. Chrome has 'Data Saver'.

Talking about it as 'opening up more of the web' could be the trick. We're enabling all users access to .onion sites, and we're enabling users in censored countries and networks (more and more when you count stuff like the UK's net nanny filters) one-click (two-click?) access to everything.

tomrittervg commented Jul 5, 2017

The trick is to communicate that effectively to users, meaning never say the word "anonymous".

This will not be easy, I guess.

Yea. But it's not without precedent. Opera supports a VPN mode on desktop and mobile. Chrome has 'Data Saver'.

Talking about it as 'opening up more of the web' could be the trick. We're enabling all users access to .onion sites, and we're enabling users in censored countries and networks (more and more when you count stuff like the UK's net nanny filters) one-click (two-click?) access to everything.

@n8fr8

This comment has been minimized.

Show comment
Hide comment
@n8fr8

n8fr8 Jul 5, 2017

On a technical note @pocmo which branch should I work from to build on WebView.

n8fr8 commented Jul 5, 2017

On a technical note @pocmo which branch should I work from to build on WebView.

@pocmo

This comment has been minimized.

Show comment
Hide comment
@pocmo

pocmo Jul 5, 2017

Contributor

On a technical note @pocmo which branch should I work from to build on WebView.

You can use the master branch, but make sure to select the focusWebkitDebug flavor/variant in Android Studio (or run ./gradlew app:assembleFocusWebkitDebug from the command line).

Contributor

pocmo commented Jul 5, 2017

On a technical note @pocmo which branch should I work from to build on WebView.

You can use the master branch, but make sure to select the focusWebkitDebug flavor/variant in Android Studio (or run ./gradlew app:assembleFocusWebkitDebug from the command line).

n8fr8 added some commits Jul 6, 2017

add configuration for .onion version of DuckDuckGo
likely should hide this if Onion Routing is not enabled,
and auto-select it if the user does enable it
Adding HTTP/HTTPS proxy support for WebView and supporting logic
- This includes both the WebkitProxy code, as well as the various places where it needs to be set or unset
- When the Onion Routing setting is changed, the main activity is finished and restarted
- Added a click event for the home screen "onion routing" text to take you to a default onion site
@n8fr8

This comment has been minimized.

Show comment
Hide comment
@n8fr8

n8fr8 Jul 6, 2017

Got this working well, and tested so far on Android 5.x and 7.x. Fortunately, the proxy settings code for WebView works consistently from SDK 21/Lollipop on up. It will be important to implement a "tor check" page of some sort to make sure it is working. For now, if you click on the "onion routing enabled" text on the home fragement, it will open the tor project's .onion site.

n8fr8 commented Jul 6, 2017

Got this working well, and tested so far on Android 5.x and 7.x. Fortunately, the proxy settings code for WebView works consistently from SDK 21/Lollipop on up. It will be important to implement a "tor check" page of some sort to make sure it is working. For now, if you click on the "onion routing enabled" text on the home fragement, it will open the tor project's .onion site.

@n8fr8

This comment has been minimized.

Show comment
Hide comment
@n8fr8

n8fr8 Jul 6, 2017

Also added Duckduckgo's Onion as a seperate search service option. Perhaps there would be a way to automatically use the Onion, if the user had DDG already selected? Or to switch to it when they select to enable Onion Routing.

n8fr8 commented Jul 6, 2017

Also added Duckduckgo's Onion as a seperate search service option. Perhaps there would be a way to automatically use the Onion, if the user had DDG already selected? Or to switch to it when they select to enable Onion Routing.

@bbinto

This comment has been minimized.

Show comment
Hide comment
@bbinto

bbinto Jul 25, 2017

Contributor

Talking about it as 'opening up more of the web' could be the trick. We're enabling all users access >to .onion sites, and we're enabling users in censored countries and networks (more and more when >you count stuff like the UK's net nanny filters) one-click (two-click?) access to everything.

I'm not quite sure if I'm following correctly as this relates anonymous? Because no matter who/what we do with Tor and Webview, users will never be fully anonymous?

From a product perspective, I'd like to start thinking about how to add it to the product, message it and of course have UX involved (@antlam).

Could we setup a meeting for next week?

Contributor

bbinto commented Jul 25, 2017

Talking about it as 'opening up more of the web' could be the trick. We're enabling all users access >to .onion sites, and we're enabling users in censored countries and networks (more and more when >you count stuff like the UK's net nanny filters) one-click (two-click?) access to everything.

I'm not quite sure if I'm following correctly as this relates anonymous? Because no matter who/what we do with Tor and Webview, users will never be fully anonymous?

From a product perspective, I'd like to start thinking about how to add it to the product, message it and of course have UX involved (@antlam).

Could we setup a meeting for next week?

@tomrittervg

This comment has been minimized.

Show comment
Hide comment
@tomrittervg

tomrittervg Jul 25, 2017

I'm not quite sure if I'm following correctly as this relates anonymous? Because no matter who/what we do with Tor and Webview, users will never be fully anonymous?

From a product perspective, I'd like to start thinking about how to add it to the product, message it and of course have UX involved (@antlam).

Could we setup a meeting for next week?

@bbinto : Yea! My calendar is (hopefully) up to date, throw something at it.

I'm at a conference this week, but I will try and write something up on the plane to explain what I meant a bit better.

tomrittervg commented Jul 25, 2017

I'm not quite sure if I'm following correctly as this relates anonymous? Because no matter who/what we do with Tor and Webview, users will never be fully anonymous?

From a product perspective, I'd like to start thinking about how to add it to the product, message it and of course have UX involved (@antlam).

Could we setup a meeting for next week?

@bbinto : Yea! My calendar is (hopefully) up to date, throw something at it.

I'm at a conference this week, but I will try and write something up on the plane to explain what I meant a bit better.

@n8fr8

This comment has been minimized.

Show comment
Hide comment
@n8fr8

n8fr8 Aug 1, 2017

I am around and happy to join a meeting.

For me, I see this as enhanced tracking protection or network confidentiality. It protects the users I.P. address from being used and logged by websites, and stops the network operators (be it the local LAN, ISP, etc) from knowing and logging the domain the user is browsing to.

I also do like the message regarding opening up more access by providing connectivity to Onion sites.

Anyhow, I've been happily using Focus Android WebView with Orbot for the last few weeks, and hope we can bring this capability to your users.

n8fr8 commented Aug 1, 2017

I am around and happy to join a meeting.

For me, I see this as enhanced tracking protection or network confidentiality. It protects the users I.P. address from being used and logged by websites, and stops the network operators (be it the local LAN, ISP, etc) from knowing and logging the domain the user is browsing to.

I also do like the message regarding opening up more access by providing connectivity to Onion sites.

Anyhow, I've been happily using Focus Android WebView with Orbot for the last few weeks, and hope we can bring this capability to your users.

@andreicristianpetcu

This comment has been minimized.

Show comment
Hide comment
@andreicristianpetcu

andreicristianpetcu Aug 1, 2017

Can it use an existing Orbot implementation instead of bundling it's own? Adding another Tor library might pose issues for F-Droid users of Firefox Klar.

andreicristianpetcu commented Aug 1, 2017

Can it use an existing Orbot implementation instead of bundling it's own? Adding another Tor library might pose issues for F-Droid users of Firefox Klar.

@n8fr8

This comment has been minimized.

Show comment
Hide comment
@n8fr8

n8fr8 Aug 2, 2017

@andreicristianpetcu This patch doesn't bundle Orbot, it just checks if it is installed, and makes the preference enabled for the user to switch the "Onion Routing" option on. It is a very small increase in KB, and won't bother users who don't already have Orbot.

n8fr8 commented Aug 2, 2017

@andreicristianpetcu This patch doesn't bundle Orbot, it just checks if it is installed, and makes the preference enabled for the user to switch the "Onion Routing" option on. It is a very small increase in KB, and won't bother users who don't already have Orbot.

@SkewedZeppelin

This comment has been minimized.

Show comment
Hide comment
@SkewedZeppelin

SkewedZeppelin commented Aug 22, 2017

I've rebased this patch onto 0a2cf55, its available here https://gist.github.com/SpotComms/431fde4a263c864e8200a28fbdbea060.

@lime124 lime124 added this to Ready for UX in Status Aug 23, 2017

@bbinto bbinto removed this from Ready for UX in Status Sep 25, 2017

@bbinto

This comment has been minimized.

Show comment
Hide comment
@bbinto

bbinto Sep 27, 2017

Contributor

Listing some benefits of TOR in here for others to read (e.g. marketing)

  • Bypassing network interference such as corporate internet filters all the way up to country-level censorship (Example: You could access websites about alcohol, porn, homosexuality, or gambling which are blocked by your country (most of the middle east))

  • Preventing network surveillance of a user by a corporate, university, or local ISP (Example: Your university can’t keep weblogs of the websites you’ve visited inside their network)

  • Access to more of the internet (the so-called ‘dark’ or ‘deep’ web) (Example: Publish information online that could sentence you to prison by your governments, or if the US government doesn't like me owning 'ritter.com' - they can take it away from me. They can't take away an onion address (which can be created easily inside TOR))

Contributor

bbinto commented Sep 27, 2017

Listing some benefits of TOR in here for others to read (e.g. marketing)

  • Bypassing network interference such as corporate internet filters all the way up to country-level censorship (Example: You could access websites about alcohol, porn, homosexuality, or gambling which are blocked by your country (most of the middle east))

  • Preventing network surveillance of a user by a corporate, university, or local ISP (Example: Your university can’t keep weblogs of the websites you’ve visited inside their network)

  • Access to more of the internet (the so-called ‘dark’ or ‘deep’ web) (Example: Publish information online that could sentence you to prison by your governments, or if the US government doesn't like me owning 'ritter.com' - they can take it away from me. They can't take away an onion address (which can be created easily inside TOR))

@tomrittervg

This comment has been minimized.

Show comment
Hide comment
@tomrittervg

tomrittervg Sep 27, 2017

I better example than "The US government taking ritter.com" away from me that's a bit more timely: Spanish officials seizing Catalan domains that were part of the Catalan Independence Referendum.

tomrittervg commented Sep 27, 2017

I better example than "The US government taking ritter.com" away from me that's a bit more timely: Spanish officials seizing Catalan domains that were part of the Catalan Independence Referendum.

@n8fr8

This comment has been minimized.

Show comment
Hide comment
@n8fr8

n8fr8 Sep 27, 2017

These are great. I just want to bring up again that we must avoid the use of the word "anonymity". Increased privacy from network operators, anti-filtering anti-censorship, access to .onion sites are all great and specific ways to talk about what Focus+Orbot provides.

n8fr8 commented Sep 27, 2017

These are great. I just want to bring up again that we must avoid the use of the word "anonymity". Increased privacy from network operators, anti-filtering anti-censorship, access to .onion sites are all great and specific ways to talk about what Focus+Orbot provides.

@pocmo

This comment has been minimized.

Show comment
Hide comment
@pocmo

pocmo Oct 30, 2017

Contributor

Closing the pull request - just so that we do not keep it in the list indefinitely. We are still interested in TOR support. Let's move discussion etc. to the issue #66.

Contributor

pocmo commented Oct 30, 2017

Closing the pull request - just so that we do not keep it in the list indefinitely. We are still interested in TOR support. Let's move discussion etc. to the issue #66.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment