-
-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Stream isolation of different apps in Orbot VPN mode #71
Comments
I rhink if you enable the "IsolateDestAddr" feature in torrc, this would create unique streams per destination address. If we expect apps to connect to unique back end addresses, this would achieve your gal. https://www.torproject.org/docs/tor-manual.html.en "IsolateDestAddr |
Thanks, I will try it out. I tried to add But even if it did work: https://tails.boum.org/contribute/design/stream_isolation/ |
As for the TAILS link, yes there is performance impact... every app going through the VPN will have its own circuit. |
Mr. Freitas and Orbot collaborators. I have no doubt you're very busy with plenty, but I must advise that you consider this to be a privacy vulnerability. The Tails link provided by e3b references the notion that when different kinds of network traffic go through the same circuit together, they can be correlated. Let us take a look at the Tor browser design documents to get an idea of how they might want this situation handled:
They write a series of bullet points referencing items that they isolate "in scope to the first party URL bar domain." Another application example: Orbot currently doesn't offer by app isolation.
This is an unreasonable expectation. Consider the following: Although the apps aren't sharing data through IPC to cross correlate your identities across each application, said smartphone is now at risk of having the entire device being correlated with the data from all of the apps, because we now have network connections for {time, app 1, app 2, ...} all joined together. If you consider this to not be an unreasonable threat, then we should implement this isolation. Perhaps even by default, with a flag to disable it. The Android APIs allow us to determine which application has sent a request, and thus we could apply a different SOCKS username and password for each. I believe that this should involve the package ID if possible. To help, I could search torsocks and the Tor browser to identify how they generate socks usernames and passwords that are unique but unguessable. |
We understand this concern. In general, we don't recommend any Android VPN for the level of anonymity you are expecting to have. TAILS and Tor Browser are different in this regard. With Android, and especially VPNs, we cannot control all the variables that you can at the operating system or browser level. However, the feature we do allow is for you to only selectively proxy specific apps over the Orbot VPN. This reduces the attack surface quite a bit. I agree, it would be a great feature to have, to isolate traffic by package id, and if someone implements it, we would be happy to review and merge. I also believe the future "official" Tor VPN for Android under development will support this. |
I had intended to implement it if I could when I find the time to participate here. It's good to hear that the guardianproject would be receptive to said feature. |
These changes, inspired by guardianproject/orbot#71, force the use of different Tor circuits for different apps, effectively isolating apps' traffic from each other.
It appears that Orbot (at least when running in Apps VPN mode) does not isolate the traffic of apps, i.e. relaying it to different exit nodes; multiple (even all?) have the same public IP address . At the same time Orbot obviously can do stream isolation when an app is properly configured (like Orfox) and the traffic of each app can be handled separately by the VPN.
Am I correct? What needs to be done to implement per-app stream isolation in Orbot?
The text was updated successfully, but these errors were encountered: