Delivery-Date: Sun, 14 Feb 2016 06:12:38 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_SIGNED,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id CDDF11E0AA7;
	Sun, 14 Feb 2016 06:12:36 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id B33D23907A;
	Sun, 14 Feb 2016 11:12:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 22F2738EE3
 for <tor-talk@lists.torproject.org>; Sun, 14 Feb 2016 11:12:25 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 6e70tQBn9Xy9 for <tor-talk@lists.torproject.org>;
 Sun, 14 Feb 2016 11:12:25 +0000 (UTC)
Received: from smtp22.openmailbox.org (smtp22.openmailbox.org [62.4.1.56])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id ED55F38E4E
 for <tor-talk@lists.torproject.org>; Sun, 14 Feb 2016 11:12:24 +0000 (UTC)
Received: by mail2.openmailbox.org (Postfix, from userid 1002)
 id A8F097C3F01; Sun, 14 Feb 2016 12:12:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org;
 s=openmailbox; t=1455448340;
 bh=i+y4bVM/vz5fZufDwxlg4UDADB5c/8huflSLpz2Xl9Y=;
 h=From:Subject:To:References:Cc:Date:In-Reply-To:From;
 b=tj1zCTCs/OymfQnppEtSOaj1BfraFrQn/t9SX2WZJEyZ3blJkq2t6KoELrutHXSL7
 UBsKtwEdlFQdr/Vdu9z5GJ8SHh28tfB+hGjiG4MwacL73jiQwJac2shFiPktSgeJE2
 0XuDnX0NpLsFYJCLSgDtmf2chrJRt2tgNXTLXwsc=
From: Rusty Bird <rustybird@openmailbox.org>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org;
 s=openmailbox; t=1455448330;
 bh=i+y4bVM/vz5fZufDwxlg4UDADB5c/8huflSLpz2Xl9Y=;
 h=From:Subject:To:References:Cc:Date:In-Reply-To:From;
 b=XiFveb2tQf6RpXMn/wrAk4fISUi6Lw/6IYiMnLDIfOeyGEvGuBehB+8om0RFldmIB
 9sOyRYcJFckSJcU+0xcysW0WNtlbvSpFw/x8zMxC5NjmCtUdIrH7iEQFAUUw8iSGvk
 N/6G1YvVCNHzjMmx88gm8SSm0q0+KlGN7kp+LroA=
To: tor-talk@lists.torproject.org, guardian-dev@lists.mayfirst.org
References: <512753.f0610b5a2ba80e2b5e307afc6982286451c15c63@popretr.messagingengine.com>
 <56BDDEB4.1070107@openmailbox.org>
 <1455288823.340246.519465714.3E8E8420@webmail.messagingengine.com>
 <56BE4071.50609@openmailbox.org>
 <CAJVRA1RabMrMAcyO3Y4hYcJoWQQRmOQR=_vBv7fCQiCVo=k5GQ@mail.gmail.com>
X-Enigmail-Draft-Status: N0110
Message-ID: <56C06102.5010508@openmailbox.org>
Date: Sun, 14 Feb 2016 11:12:02 +0000
MIME-Version: 1.0
In-Reply-To: <CAJVRA1RabMrMAcyO3Y4hYcJoWQQRmOQR=_vBv7fCQiCVo=k5GQ@mail.gmail.com>
Cc: Nathan of Guardian <nathan@guardianproject.info>
Subject: Re: [tor-talk] orplug,
	an Android firewall with per-app Tor circuit isolation
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi coderman,

> with VPN approach you don't get to control traffic outside routed 
> range, or before VPN activates, or fail-safe if it drops 
> un-expectedly, or ...

I heard that Android VPNs can have some sort of fail-closed mode, does
this apply to Orbot?

> note that a tor enforcing gateway approach is preferable to 
> transparent proxy, security wise. e.g. corridor. i haven't seen
> this applied to Android env, which might be interesting safety
> buffer around Orweb&Orbot.

But the Android device isn't a gateway, unless you're tethering? If you
mean only applications with native Tor support should be let through,
that's the "access:fenced" option. Setting it up for all of the main
device user account is literally that as one line, "access:fenced". Or
for just a specific app, it's "access:fenced app:com.example.foo":

https://github.com/rustybird/orplug/blob/9a9f53154f5da19216d4d2a893057a9b0d5f438f/orplug/conf/rules/90-user.conf.example#L11-L15

I don't see any security problems per se with transtorifying *on the
device that's generating the traffic*? (Transtorifying *other client
devices* is problematic, for sure.)

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJWwGECXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfTpcP/14P32z9Bx5DXXgLSiysuSXa
+yBg4DnJ6Vf67nB7COxoE6ca8Q2cz7kT/6dV7/KKkB2RM6ghzG+kH1b1Xz1FSl6F
Am6xeRFX8Vu1SOzmMQ2ZG1zcIssP7hlqZHqxrHnN1buKiHj5j7PG1bsMsavtUhJB
oHLZmQpMl/RZxf1zsv/uABjU3wcPrIMXbFTYi+mywT2Opr/EGq8pFbP5kj5Lj7dt
xyC98lgr3A0WGL3lofQ2Dwmz8gcxBsb5my9yip4JKnvp4sh0yhdvw9rNqLI5NDiz
ZB2OjrnW2T6UjmDQXprSFsJKoxWV/Gjz/vh5dzEhEBEs9bWIznaMPhtzXrPrs9ns
6hwvpIsQy/7bTS1X6Itrq6Td/EGIHADtegiD9CBQbOB1wGXrPyAs9KCgV8Em2JNb
+zdi4vfm2ZToujqGmltinV51XzyEyNw9j3d44uMY3/yIdpVcwVOIiBvvvBqHLZbT
ya9ercbB/b9OIF7bgybVjll6B5SutyGxV2oFVv7p87tw/jAKLZG0ThuRIS4qH69Z
noS718nOaa52ZM2FRP+h2nOeJvQo784OisZVvWFy/9LbDHdrDfjhswqa0x0RM78Z
zqdiOZ57qlkHwL9MQ+BJ11KNqzFN1x7is7OCIQRJaGp/fZNSfZMsZd1+6gUF8p6r
RA6BSiCbgHDFqkZLzxwy
=hnP5
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

