On Wed, Mar 22, 2017, at 08:23 AM, Michael Rogers wrote: > On 06/09/16 10:48, Hans-Christoph Steiner wrote: > > > > The Briar folks are working on getting HTTP connections on Android to go > > through Tor via SOCKS. They used a custom SocketFactory and Socket > > subclasses, with their own SOCKS handling. > > > > https://code.briarproject.org/akwizgran/briar/merge_requests/308 > > > > Could we use this approach in NetCipher? I think Torsten that said this > > approach requires android-14 at least, but we could just use HTTP > > proxies to support older platforms. > > Hi guys, > > Following up on an old thread to let you know that unfortunately the > approach we found for getting OkHttp to use a SOCKS proxy isn't safe. In > some cases OkHttp will try to resolve hostnames locally before creating > sockets, which leaks DNS lookups to the local network. Cure53 found this > in their recent audit of Briar. I'm currently trying to work out how big > a change is required to fix this.
Do we need to implement or fork our own HTTP library to ensure safety? Or is it just OkHttp itself that is the problem? I think Apache HTTPClient is better, possibly Volley, as well? _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: guardian-dev-unsubscr...@lists.mayfirst.org
