Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusting domain vs HTTP block #1451

Open
opk12 opened this issue May 19, 2024 · 9 comments
Open

Trusting domain vs HTTP block #1451

opk12 opened this issue May 19, 2024 · 9 comments

Comments

@opk12
Copy link

opk12 commented May 19, 2024
edited

I cannot block port 80 while trusting a domain. Also, a trust rule for my_domain_here.com:80 seems ineffective, but the GUI accepts it.

  1. Turn on the option to disable port 80 (insecure HTTP).
  2. Open the Rethink settings for the browser and trust a domain.
  3. Now I can connect to the domain at port 80.
  4. Remove the trust rule.
  5. Tap the + button and type a rule for my_domain_here.com:80.
  6. The app can not connect to port 80, but the Rethink GUI accepted the syntax silently.

What about changing the logic to block the port 80 even if there is a trust rule? Then the app could introduce support for the syntax domain.com:80, to whitelist the port.
@ignoramous
Copy link
Collaborator

Essentially, the ask is to support port-numbers for domain rules?

@opk12
Copy link
Author

opk12 commented May 20, 2024

  1. Trusting a domain should not allow the port 80, if the Universal rule to forbid port 80 is enabled.
  2. Supporting port numbers for domain rules.

@ignoramous
Copy link
Collaborator

Trusting a domain should not allow the port 80, if the Universal rule to forbid port 80 is enabled.

We've implemented this in v055l. Please test and let us know.

Supporting port numbers for domain rules.

We are in two minds about supporting this. There are no technical issues here but just that enforcing a domain name rule with no port number will have to behave drastically differently than when specified with a port number1, which might confuse users.

Footnotes

  1. Port numbers are not known at domain name resolution time and hence these rules would always have to be applied at connection time (unlike other block / deny domain rules which are applied at DNS resolution time).

@opk12
Copy link
Author

opk12 commented May 28, 2024

We've implemented this in v055l. Please test and let us know.

Thank you very much. I will update as soon as it lands on F-droid.

Supporting port numbers for domain rules.

I wrote this for completeness while bug-reporting, but I do not need this personally. I was thinking in general about any users that potentially relied on the domain rule allowing port 80 and now (since v055l) will have no way to access port 80.

@opk12
Copy link
Author

opk12 commented May 28, 2024
edited

We are in two minds about supporting this. There are no technical issues here but just that enforcing a domain name rule with no port number will have to behave drastically differently than when specified with a port number, which might confuse users.

OpenSnitch has one single list of rules (screenshot 1). A rule can provide an IP, and/or domain, and/or port, and/or app, ...

Although the name sounds like "allow google.com" for ease of reading, the rule is a generic predicate (operator_data) over the properties of interest (column operator_operand) and the editing window allows to mix properties (screenshot 2; JSON in the last line in screenshot 3). For example, I can mix IP and domain. I think it's a matter of time before the user requests for Rethink reach that point.

It seems that OpenSnitch has already encountered the problem that similar-looking things behave differently, but I do not know how they deal with it exactly. For Rethink, maybe one list of rules, and a colored badge on each rule, to self-identify as "triggered at the DNS level" vs connection level.

opensnitch_rules_list
opensnitch_editing_window
opensnitch_json

@ignoramous
Copy link
Collaborator

ignoramous commented May 28, 2024
edited

Thanks.

I think it's a matter of time before the user requests for Rethink reach that point.

true, but there's a laundry list of things (enough to keep us busy for 2 years) already left to work on before this particular power-user feature should get implemented? (:

@opk12
Copy link
Author

opk12 commented May 31, 2024

I updated to v0.5.5L from F-droid and rebooted the phone. I set Fennec to Isolated, but unfortunately I can still browse HTTP-only websites that I add to the trust list. I double-checked that the Universal rule is set. I am on Samsung Android 7.1.

@opk12
Copy link
Author

opk12 commented May 31, 2024

This also applies to the IP address: Fennec can connect to my home PC (where I run nc -l 80 or python3 -m http.server) if I add the IP address to the trust list, without typing :80.

@ignoramous
Copy link
Collaborator

I set Fennec to Isolated, but unfortunately I can still browse HTTP-only websites that I add to the trust list. I double-checked that the Universal rule is set. I am on Samsung Android 7.1.

Sorry, we undid the change in v055l as we broke the fundamental precedence rule we set for prior versions, which is, domain rules always override IP rules (as some vocally angry users reminded us).

We're thinking of either bringing in domain:port rule or explicit priority numbers for rules (like in Open Snitch).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ignoramous @opk12