You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Tor Browser/Firefox per default provides "HTTPS-Only Mode" for enhanced security with regards to malicious exit nodes and cleartext HTTP connections ("Settings" -> "Privacy & Security"). Orbot currently doesn't support a comparable feature, which increases its own/proxied app's vulnerability to this type of attack.
Describe the Solution You'd Like
To make Orbot more secure and hardening process easy to maintain, I suggest to provide an HTTPS-enforcing mode similar to Tor Browser, integrated into Orbot user interface as configuration setting. This mode might either be configured globally or per app.
Describe the Alternatives You've Considered
It currently is needed to inspect each proxied app with regards to its support of plain HTTP (^1). Also an app might use socket API, in which case app policies won't help with blocking HTTP.
Another possible alternative would be some kind of filtering HTTP proxy app, e.g. on Android running in Always-on VPN mode. But In addition to blocking the VPN slot and me not knowing an existing solution (please let me know otherwise), proxy probably needs to be made aware of some of the Tor internals. For example there is an issue regarding dealing with OCSP on port 80, where current decision apparantely is to keep it enabled.
Additional Context
^1: App policy needs to be inspected manually by looking at AndroidManifest.xml for a flag android:usesCleartextTraffic. If exists and set to "true", app allows plain HTTP, which makes it unsafe for usage with Orbot. The other way is more fine-grained HTTP whitelisting via Network security config API. Corresponding config entries need to be looked up as well.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Tor Browser/Firefox per default provides "HTTPS-Only Mode" for enhanced security with regards to malicious exit nodes and cleartext HTTP connections ("Settings" -> "Privacy & Security"). Orbot currently doesn't support a comparable feature, which increases its own/proxied app's vulnerability to this type of attack.
Describe the Solution You'd Like
To make Orbot more secure and hardening process easy to maintain, I suggest to provide an HTTPS-enforcing mode similar to Tor Browser, integrated into Orbot user interface as configuration setting. This mode might either be configured globally or per app.
Describe the Alternatives You've Considered
It currently is needed to inspect each proxied app with regards to its support of plain HTTP (^1). Also an app might use socket API, in which case app policies won't help with blocking HTTP.
Another possible alternative would be some kind of filtering HTTP proxy app, e.g. on Android running in Always-on VPN mode. But In addition to blocking the VPN slot and me not knowing an existing solution (please let me know otherwise), proxy probably needs to be made aware of some of the Tor internals. For example there is an issue regarding dealing with OCSP on port 80, where current decision apparantely is to keep it enabled.
Additional Context
^1: App policy needs to be inspected manually by looking at
AndroidManifest.xml
for a flagandroid:usesCleartextTraffic
. If exists and set to"true"
, app allows plain HTTP, which makes it unsafe for usage with Orbot. The other way is more fine-grained HTTP whitelisting via Network security config API. Corresponding config entries need to be looked up as well.The text was updated successfully, but these errors were encountered: