Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement] make use of stream circuit Isolation in Orbot mode 🧅 #8

Open
4-FLOSS-Free-Libre-Open-Source-Software opened this issue Jun 16, 2021 · 4 comments
Assignees

Comments

@4-FLOSS-Free-Libre-Open-Source-Software

Make use of tor/orbots stream circuit Isolating, by using dynamic socks5 username&password authentication for where it makes privacy Enhancement.

For now, if you visit embedded YouTube in browser and open YouTube app, both may share a circuit while you could have used different logins each and get tracked with same ip.
Suggested, isolate on a per app basis. May easily just use app package name as unique socks5 username and tor will never put streams from different apps together again. Alternatively authenticate with uuid. Also it could benefit from KeepAliveIsolateSOCKSAuth

I'm aware, rethinkdns allows setting a permanent socks5 username&password authentication manually in the settings. But that's not useful for the idea here.

@ignoramous
Copy link
Contributor

Thanks. Would you know Orbot has an API for this?

@4-FLOSS-Free-Libre-Open-Source-Software 4-FLOSS-Free-Libre-Open-Source-Software changed the title [Enhancement] make use of stream circuit Isolation [Enhancement] make use of stream circuit Isolation in Orbot mode 🧅 Jul 24, 2021
@4-FLOSS-Free-Libre-Open-Source-Software
Copy link
Author

Orbot has an API for this?

It is not needed? All can be done by the present implementation of socks5 authentication in rethinkDNS.

For enabling the setting KeepAliveIsolateSOCKSAuth SocksPort flag, the control Port can be used. But this is not required for this issue.

Only this already present authentication settings need a different per app socks5 username to be used automatically.
Example:
com.celzero.bravedns

55f7b432-8746-40b5-bcaf-aeaffae70e29.jpg

The level of isolation may need to be discussed.

Tor browser does it by default per hostname. If this is the wanted result to be matched. But to not mix destination of two apps for same destination. As two different apps could try to connect Google-Analytics.com, we want to isolate circuit use for both separate from each other to prevent linkage.
For example the socks5 username could look like:

  1. com.celzero.bravedns_rethinkdns.com
  2. org.mozilla.fenix_rethinkdns.com

I have used app package names and destination's for identifier. Both should be actually known to rethink DNS anyway while connection decision of forwarding is done?

@ignoramous
Copy link
Contributor

Thanks for the detailed explanation. Both, per-http-hostname scheme and per-app scheme are implementable.

@4-FLOSS-Free-Libre-Open-Source-Software
Copy link
Author

Orbot settings allow user to already set the IsolateDestAddr socksport flag.

IsolateDestAddr

Don’t share circuits with streams targeting a different destination address.

d5cace89-4fed-4435-a07d-0a4ead2c9a28

Tor browser does it based on hostname, not Addr. It uses the per-hostname scheme
This is not exacly the same. Since one Hostname can have multiple IP Addr:

rethinkdns.com → 104.21.13.53
               → 172.67.154.200
               → 2606:4700:3032::6815:d35
               → 2606:4700:3036::ac43:9ac8

Orbot is currently missing the per-app scheme.

@ignoramous ignoramous self-assigned this Sep 8, 2021
@ignoramous ignoramous transferred this issue from celzero/rethink-app Sep 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants