Opened 17 months ago

Last modified 9 months ago

#26764 assigned defect

HTTP proxy bug in Orbot 16.0.2-RC-1

Reported by: soren@… Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords:
Cc: hans@… Actual Points:
Parent ID: #24215 Points:
Reviewer: Sponsor:

Description

I am the developer of Privacy Browser, a privacy focused Android browser. Privacy Browser has the option to proxy through Orbot. A user recently brought to my attention that there is a bug in the HTTP proxy of Orbot 16.0.2-RC-1 (downloaded from F-Droid) which causes all HTTP requests to fail. HTTPS requests work fine. Using Orbot in VPN mode works fine as long as Privacy Browser is not trying to proxy HTTP requests through port 8118, otherwise they still fail.

Downgrading Orbot to 16.0.0-RC-2-multi-SDK23 causes HTTP proxying to work correctly.

Testing was performed using Privacy Browser 2.11 on a Pixel 2 XL running Android 8.1.0 (API 27). Privacy Browser can be downloaded from F-Droid, but the current version, 2.11, is not yet available there. It can be downloaded directly from:

https://www.stoutner.com/privacy-browser/changelog/

Versions prior to 2.11 used the old WebView proxying code and do not work with the changes Google recently made to WebView. As such, they are not useful for testing this bug if the device has recently updated WebView.

Child Tickets

Change History (13)

comment:1 Changed 17 months ago by rl1987

Component: - Select a componentApplications/Orbot
Owner: set to n8fr8

comment:2 Changed 12 months ago by soren@…

This bug is still not fixed with the recent 16.0.5-RC-1-tor-0.3.4.9 release.

comment:3 Changed 12 months ago by soren@…

I am surprised that there has been no response to this bug from the Tor project beyond setting a component and an owner. Orbot provided three methods on Android for routing traffic through the Tor network (VPN mode, SOCKS proxy, and HTTP proxy). With one of these three methods being broken for over 6 months I would assume this would have a higher priority.

comment:4 Changed 12 months ago by soren@…

Not knowing for sure, but the timing of the bug indicates to me it might be related to how Google changed the default permissions for apps handling HTTP traffic when they target API 28 or above. "Starting with Android 9 (API level 28), cleartext support is disabled by default."

If that is the case, adding the following to the AndroidManifest.xml:

<application
    ...
    android:networkSecurityConfig="@xml/network_security_config >

And creating `res/xml/network_security_config.xml` with the following contents:

<!-- Allow HTTP traffic. -->
<network-security-config>
  <base-config cleartextTrafficPermitted="true" />
</network-security-config>

Should resolve the problem.

comment:5 in reply to:  3 ; Changed 12 months ago by arma

Replying to soren@…:

I am surprised that there has been no response to this bug from the Tor project beyond setting a component and an owner.

I can answer this part for you: Orbot is run by the Guardian project. I'm a bit unclear on whether they handle tickets here or over on the Guardian side. If you go to the Orbot page, and ask to report a bug, it sends you to https://dev.guardianproject.info/projects

...which I notice is not responding right now. :(

I've seen some tickets handled here, and some tickets not handled here, so I don't know that we ought to shut this part down, especially while the main recommended site is not responding... but I bet the Guardian people don't check this bugtracker as often either.

comment:6 in reply to:  5 Changed 12 months ago by soren@…

Replying to arma:

My memory is that I came across that dead link six months ago when I filed this bug.  I eventually ended up here.  But if there is some other place where I should file the bug instead, please point me in the right direction.

comment:7 Changed 12 months ago by n8fr8

For now, the best place for submitted issues is: https://github.com/n8fr8/orbot/issues

We are working on consolidating and cleaning up our various trackers. We are happy to work here on trac, but the volume of notifications and the fact we don't use this as our core tracker can cause us to miss issues now and then.

As for this problem specifically, we moved from using Privoxy inside of Orbot as our HTTP proxy, to using the new, built-in HTTP proxy feature now available in Tor. Unfortunately, it only supports HTTP Connect proxy features, which in the case of Android, seem to only work with HTTPS traffic. For most apps, this is fine and a good requirement, to ensure traffic moving through Tor is always HTTPS. However, for a browser, which may still have HTTP traffic, I see how it can cause problems.

The answer is to just guide your users to use the VPN feature, which does work. You could also consider building your browser from Mozilla's GeckoView component, which Firefox Focus uses. This supports SOCKS proxying, which works very well with Tor, and is much more secure than relying on Android's WebView.

comment:8 Changed 12 months ago by n8fr8

Status: newassigned

comment:9 in reply to:  7 Changed 12 months ago by soren@…

Replying to n8fr8:

As for this problem specifically, we moved from using Privoxy inside of Orbot as our HTTP proxy, to using the new, built-in HTTP proxy feature now available in Tor. Unfortunately, it only supports HTTP Connect proxy features, which in the case of Android, seem to only work with HTTPS traffic. For most apps, this is fine and a good requirement, to ensure traffic moving through Tor is always HTTPS. However, for a browser, which may still have HTTP traffic, I see how it can cause problems.

Thanks for the information.

The answer is to just guide your users to use the VPN feature, which does work.

I have been recommending that to users for a while, but that doesn't work well in all scenarios.

https://www.stoutner.com/problems-with-orbot/

For example, Privacy Browser allows users to quickly toggle proxying through Orbot while leaving Orbot connected so that they can access resources that are blocked via Tor. This doesn't work with VPN mode enabled, and starting and stopping Orbot takes a lot longer than the quick toggle Privacy Browser provides.

https://redmine.stoutner.com/issues/326

You could also consider building your browser from Mozilla's GeckoView component, which Firefox Focus uses.

GeckoView is an interesting project, but it isn't a good fit for Privacy Browser. I have written quite an extensive explanation that is hosted on my website.

https://www.stoutner.com/geckoview/

The short version is that part of the future of Privacy Browser will be to create a rolling fork of Android's WebView called Privacy WebView that exposes many more privacy controls that either GeckoView or WebView. Privacy WebView will be backwards API compatible with WebView, allowing custom ROMs to use it as a drop-in replacement for Android's WebView. This is something that is not possible with GeckoView.

This supports SOCKS proxying, which works very well with Tor, and is much more secure than relying on Android's WebView.

SOCKS proxying support is a nice feature, but Privacy WebView will provide a more secure web experience that I can see anywhere on the horizon for GeckoView.

comment:10 Changed 12 months ago by soren@…

Looking through the source code for Orbot, I can see that my previous comment regarding Android's network security config changes introduced in API 28 is not the core of the problem because you are still targeting API 27.  However, you might want to file it away, because depending on all the specifics of your code you might need to use it when you do switch to targeting API 28.

comment:11 Changed 12 months ago by soren@…

I created an issue on the GitHub tracker for this at https://github.com/n8fr8/orbot/issues/185.

comment:12 Changed 9 months ago by eighthave

Cc: hans@… added
Parent ID: #24215

The problem is because tor's built-in HTTP proxy is only a HTTP CONNECT tunnel. polipo provides a full HTTP proxy. When using an HTTP proxy with HTTPS traffic, lots of frameworks will automatically switch to HTTP CONNECT mode to tunnel the HTTPS traffic over HTTP. The solution here is to find a way to force all connections using the HTTP proxy to switch to HTTP CONNECT mode.

comment:13 Changed 9 months ago by eighthave

#27821 is related

Note: See TracTickets for help on using tickets.