firestack icon indicating copy to clipboard operation
firestack copied to clipboard
verified publisher icon celzero

[Enhancement] make use of stream circuit Isolation in Orbot mode πŸ§…

Open 4-FLOSS-Free-Libre-Open-Source-Software opened this issue 4 years ago β€’ 4 comments

Make use of tor/orbots stream circuit Isolating, by using dynamic socks5 username&password authentication for where it makes privacy Enhancement.

For now, if you visit embedded YouTube in browser and open YouTube app, both may share a circuit while you could have used different logins each and get tracked with same ip. Suggested, isolate on a per app basis. May easily just use app package name as unique socks5 username and tor will never put streams from different apps together again. Alternatively authenticate with uuid. Also it could benefit from KeepAliveIsolateSOCKSAuth

I'm aware, rethinkdns allows setting a permanent socks5 username&password authentication manually in the settings. But that's not useful for the idea here.

4-FLOSS-Free-Libre-Open-Source-Software avatar Jun 16 '21 08:06 4-FLOSS-Free-Libre-Open-Source-Software

Thanks. Would you know Orbot has an API for this?

ignoramous avatar Jun 16 '21 14:06 ignoramous

Orbot has an API for this?

It is not needed? All can be done by the present implementation of socks5 authentication in rethinkDNS.

For enabling the setting KeepAliveIsolateSOCKSAuth SocksPort flag, the control Port can be used. But this is not required for this issue.

Only this already present authentication settings need a different per app socks5 username to be used automatically. Example: com.celzero.bravedns

55f7b432-8746-40b5-bcaf-aeaffae70e29.jpg

The level of isolation may need to be discussed.

Tor browser does it by default per hostname. If this is the wanted result to be matched. But to not mix destination of two apps for same destination. As two different apps could try to connect Google-Analytics.com, we want to isolate circuit use for both separate from each other to prevent linkage. For example the socks5 username could look like:

  1. com.celzero.bravedns_rethinkdns.com
  2. org.mozilla.fenix_rethinkdns.com

I have used app package names and destination's for identifier. Both should be actually known to rethink DNS anyway while connection decision of forwarding is done?

4-FLOSS-Free-Libre-Open-Source-Software avatar Jul 24 '21 18:07 4-FLOSS-Free-Libre-Open-Source-Software

Thanks for the detailed explanation. Both, per-http-hostname scheme and per-app scheme are implementable.

ignoramous avatar Jul 25 '21 02:07 ignoramous

Orbot settings allow user to already set the IsolateDestAddr socksport flag.

IsolateDestAddr

Don’t share circuits with streams targeting a different destination address.

d5cace89-4fed-4435-a07d-0a4ead2c9a28

Tor browser does it based on hostname, not Addr. It uses the per-hostname scheme This is not exacly the same. Since one Hostname can have multiple IP Addr:

rethinkdns.com β†’ 104.21.13.53
               β†’ 172.67.154.200
               β†’ 2606:4700:3032::6815:d35
               β†’ 2606:4700:3036::ac43:9ac8

Orbot is currently missing the per-app scheme.

4-FLOSS-Free-Libre-Open-Source-Software avatar Jul 25 '21 03:07 4-FLOSS-Free-Libre-Open-Source-Software