Re: [guardian-dev] NetCipher: How Do I Know That It Is Working?

[Hans-Christoph Steiner]

Nathan of Guardian:
> 
> On Sun, Feb 14, 2016, at 09:56 AM, Mark Murphy wrote:
>> On Sun, Feb 14, 2016, at 09:45, Nathan of Guardian wrote:
>>> We can add a helper function called
>>> makeSureIAmReallyUsingTor() that hits that and verifies the response.
>>> Does that work from your perspective, Mark?
>>
>> I agree that developers (and users) could use that. However, given
>> NetCipher's current scope, implementing it is something that developers
>> themselves need to do. You can't request that URL without a
>> fully-configured HTTP client stack, and that's something that developers
>> need to set up today.
> 
> Right. I think support HttpUrlConnection would be good, either as sample
> code, or through a method you can pass your instance to. 
> 
>> Now, if we envision a future NetCipher that has packaged integrations
>> tying it to popular Android HTTP client stacks (e.g., HttpURLConnection,
>> Apache's independent HttpClient packaging, OkHttp, Volley), those
>> integrations could offer such a method. The developer configures the
>> integration, calls the validation method, and proceeds from there.
> 
> Yes. Let's envision that, and realize that!

Sounds like something to note for a round 2 of this work.

.hc


-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex=0xE9E28DEA00AA5556
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] NetCipher: How Do I Know That It Is Working?

[Mark Murphy]

On Sun, Feb 14, 2016, at 01:21, grarpamp wrote:
> https://check.torproject.org/api/ip
> But that's only for browsers.

I'd argue it's for Web service clients as well, which happens to be my
test case. A JSON return payload is very cool, and it seems to be
working.

Many thanks!

-- 
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] NetCipher: How Do I Know That It Is Working?

[Nathan of Guardian]

On Sun, Feb 14, 2016, at 08:24 AM, Mark Murphy wrote:
> On Sun, Feb 14, 2016, at 01:21, grarpamp wrote:
> > https://check.torproject.org/api/ip
> > But that's only for browsers.
> 
> I'd argue it's for Web service clients as well, which happens to be my
> test case. A JSON return payload is very cool, and it seems to be
> working.
> 

Yes, that is what I hoped. We can add a helper function called
makeSureIAmReallyUsingTor() that hits that and verifies the response.
Does that work from your perspective, Mark?

Agreed the MITM is not the right solution. Seems like there has been a
lot of unfortunate implementations of that in the news recently.

+n
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

[guardian-dev] NetCipher: How Do I Know That It Is Working?

[Mark Murphy]

If I am writing an app, and I (try to) integrate NetCipher, and I make
an HTTP request of a regular Web server, and I get a valid response
back... how do I know that the request made it through Orbot's HTTP
proxy and Tor, versus somehow being re-routed to the Web server
directly?

I have tried enabling "Debug Log" in Orbot, but I do not know if it logs
request information (or what that might look like), and I do not know if
anything is needed beyond checking the checkbox (e.g., restart Orbot,
reboot device).

Thanks!

-- 
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] NetCipher: How Do I Know That It Is Working?

[Nathan of Guardian]

On Sat, Feb 13, 2016, at 01:05 PM, Mark Murphy wrote:
> If I am writing an app, and I (try to) integrate NetCipher, and I make
> an HTTP request of a regular Web server, and I get a valid response
> back... how do I know that the request made it through Orbot's HTTP
> proxy and Tor, versus somehow being re-routed to the Web server
> directly?

There is no built-in method for this. I suppose you could request
check.torproject.org and parse it to match for the "you are connected to
Tor" string. Tor also has an API for this now that I can dig up.

> 
> I have tried enabling "Debug Log" in Orbot, but I do not know if it logs
> request information (or what that might look like), and I do not know if
> anything is needed beyond checking the checkbox (e.g., restart Orbot,
> reboot device).

We don't currently log individual request but I think we could,
especially using the polipo HTTP proxy server that sits between port
8118 and Tor SOCKS on 9050.

+n

> 
> Thanks!
> 
> -- 
> Mark Murphy (a Commons Guy)
> https://commonsware.com | https://github.com/commonsguy
> https://commonsware.com/blog | https://twitter.com/commonsguy
> ___
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org


-- 
  Nathan of Guardian
  nat...@guardianproject.info
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] NetCipher: How Do I Know That It Is Working?

[Nathan of Guardian]

On Sat, Feb 13, 2016, at 02:21 PM, Mark Murphy wrote:
> On Sat, Feb 13, 2016, at 14:03, Nathan of Guardian wrote:
> > On Sat, Feb 13, 2016, at 01:05 PM, Mark Murphy wrote:
> > > If I am writing an app, and I (try to) integrate NetCipher, and I make
> > > an HTTP request of a regular Web server, and I get a valid response
> > > back... how do I know that the request made it through Orbot's HTTP
> > > proxy and Tor, versus somehow being re-routed to the Web server
> > > directly?
> > 
> > There is no built-in method for this. 
> 
> Gulp.

For apps that want to absolutely guarantee access via Tor, you can also
setup a .Onion hidden service. This would.not resolve if your request is
not being proxied.

> 
> > We don't currently log individual request but I think we could,
> > especially using the polipo HTTP proxy server that sits between port
> > 8118 and Tor SOCKS on 9050.
> 
> Another possibility would be to add some X- header to the response from
> the HTTP proxy (e.g., X-Orbot-Diagnostics, with perhaps a meaningful bit
> of data as a value), for use in debug mode. That would allow for
> validation as part of HTTP response processing, such as for test suites.

That is a good idea. I think polipo can do this.

> 
> Thanks for the info!
> 

Great questions!
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

Re: [guardian-dev] NetCipher: How Do I Know That It Is Working?

[grarpamp]

On 2/13/16, Nathan of Guardian  wrote:
> On Sat, Feb 13, 2016, at 01:05 PM, Mark Murphy wrote:
>> back... how do I know that the request made it through Orbot's HTTP
>> proxy and Tor, versus somehow being re-routed to the Web server
>> directly?

> check.torproject.org and parse it to match for the "you are connected to
> Tor" string. Tor also has an API for this now that I can dig up.

https://check.torproject.org/api/ip
But that's only for browsers.

What made it around tor: packet filter
What made it into tor: tor controller setevents stream

If you want to make that more useful to users:
https://trac.torproject.org/projects/tor/ticket/11179

> We don't currently log individual request but I think we could,
> especially using the polipo HTTP proxy server that sits between port
> 8118 and Tor SOCKS on 9050.

If you're doing TLS you won't see it. And X-mitm your own TLS
streams to indicate is just weird. Also, polipo had network issues
back when I tested it, privoxy stripped of rules worked fine to replace
its function.
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org