[tor-bugs] #26764 [Applications/Orbot]: HTTP proxy bug in Orbot 16.0.2-RC-1

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 28 04:58:27 UTC 2018 

#26764: HTTP proxy bug in Orbot 16.0.2-RC-1
--------------------------------+--------------------------
 Reporter:  soren@…             |          Owner:  n8fr8
     Type:  defect              |         Status:  assigned
 Priority:  Medium              |      Milestone:
Component:  Applications/Orbot  |        Version:
 Severity:  Normal              |     Resolution:
 Keywords:                      |  Actual Points:
Parent ID:                      |         Points:
 Reviewer:                      |        Sponsor:
--------------------------------+--------------------------

Comment (by soren@…):

 Replying to [comment:7 n8fr8]:

 > As for this problem specifically, we moved from using Privoxy inside of
 Orbot as our HTTP proxy, to using the new, built-in HTTP proxy feature now
 available in Tor. Unfortunately, it only supports HTTP Connect proxy
 features, which in the case of Android, seem to only work with HTTPS
 traffic. For most apps, this is fine and a good requirement, to ensure
 traffic moving through Tor is always HTTPS. However, for a browser, which
 may still have HTTP traffic, I see how it can cause problems.

 Thanks for the information.

 > The answer is to just guide your users to use the VPN feature, which
 does work.

 I have been recommending that to users for a while, but that doesn't work
 well in all scenarios.

 https://www.stoutner.com/problems-with-orbot/

 For example, Privacy Browser allows users to quickly toggle proxying
 through Orbot while leaving Orbot connected so that they can access
 resources that are blocked via Tor.  This doesn't work with VPN mode
 enabled, and starting and stopping Orbot takes a lot longer than the quick
 toggle Privacy Browser provides.

 https://redmine.stoutner.com/issues/326

 > You could also consider building your browser from Mozilla's GeckoView
 component, which Firefox Focus uses.

 GeckoView is an interesting project, but it isn't a good fit for Privacy
 Browser.  I have written quite an extensive explanation that is hosted on
 my website.

 https://www.stoutner.com/geckoview/

 The short version is that part of the future of Privacy Browser will be to
 create a rolling fork of Android's WebView called Privacy WebView that
 exposes many more privacy controls that either GeckoView or WebView.
 Privacy WebView will be backwards API compatible with WebView, allowing
 custom ROMs to use it as a drop-in replacement for Android's WebView.
 This is something that is not possible with !GeckoView.

 > This supports SOCKS proxying, which works very well with Tor, and is
 much more secure than relying on Android's WebView.

 SOCKS proxying support is a nice feature, but Privacy WebView will provide
 a more secure web experience that I can see anywhere on the horizon for
 !GeckoView.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26764#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list