Tom Ritter: > On 13 November 2016 at 03:22, Hans-Christoph Steiner > <[email protected]> wrote: >> >> Tor Browser includes lots of changes beyond just forcing all network >> traffic over Tor. There are many little details in how apps use the >> network that can leak identity info that are ameliorated in Tor Browser. >> I think we should aim to make NetCipher the canonical collection of >> these config for Android apps. >> >> For example: >> >> * TLS Session Identifiers/Tickets >> * detailed info in HTTP User Agent >> * HTTP ETag >> >> The only question for me is how best to expose this stuff to the >> developer using the NetCipher library. We should make NetCipher include >> all protections by default, so it does the right thing for anonymity >> without special setups. Otherwise it is too easy to mess up and leak >> private info. But since some of these things provide substantial speed >> improvements, we need to provide a way to disable them. >> >> One idea would be to tell devs to use plain networking when going direct >> and not through Tor. Another would be to have methods to disable >> specific settings. I'm hoping to open up the discussion to hear other ideas. > > When you consider app or device UUIDs, local or public IP addresses, > user account information, contact lists, photos.... how far are you > willing to go? How far do you want to go? > > -tom
Well, this is an HTTP/TLS library, so really its only about settings around HTTP and TLS. .hc -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
