Hi,
the video Yes, you should connect to Tor via a VPN by @jonah was an interesting watch (thanks!). At ~ 23:30 it is said, that Tor exit nodes are able to monitor and manipulate unencrypted, plain HTTP traffic. And that Tor Browser fortunately provides “HTTPS-Only Mode” to circumvent such exploit.
My question now is: Is it safe to use Orbot on Android? What if I happen to use plain HTTP traffic, either by accident or if website automatically side-loads elements via HTTP, over Orbot? If there is risk, are there mechanisms to make its usage more secure?
By default Android apps can’t make unencrypted network connections (since Android 9), unless the developer opts in. It is also a requirement for apps in the Google Play store that a developer can’t opt in to cleartext connections unless they have a valid reason.
The most common exception would be for web browsers, but usually in that case your browser will have an HTTPS Only Mode you can enable, most do nowadays. Additionally, all modern browsers block mixed content automatically now, so if you are on an HTTPS page it should not be able to load any elements via HTTP.
Didn’t know that, good to hear! Also with regards to
, is there a specific app permission which is to be granted - or where might I inspect, if a an app demands plain HTTP connections?
In addition to web browsers, I was thinking of RSS reader apps for example. If I remember correctly, I noticed a side-loaded plain HTTP element of a feed when inspecting its network traffic a couple months ago (Android 14; but don’t nail me on this fact).
So question might be extended to: How can I verify and ensure all apps (not only webbrowsers) are using HTTPS?
After a bit more investigation, the answer probably is: It depends on the app.
You really need to investigate on per-app basis, if cleartext traffic/plain HTTP is allowed or not. As rule of thumb only HTTPS traffic should be passed through Orbot. Thanks again for the hint on the Android API!
How might app be verified to only use HTTPS?
You can inspect its AndroidManifest.xml for a flag called android:usesCleartextTraffic. If it exists and is set to "true", app allows plain HTTP (not good). HTTP whitelisting can also be done via alternative Network security config API, hence also look these entries up in the xml file. By using above procedure, I indeed could verify my RSS reader app on F-Droid does permit plain HTTP.
Also note, this is not a surefire way to omit HTTP. The app might still use its own socket API, in which case above policies don’t apply. Best probably is to do some network monitoring yourself or have someone/community more knowledgeable to check the app.
I wished, there would exist a proxy app in Always-on VPN mode for Android, which filtered non-HTTPS traffic and only passed HTTPS further through Orbot. This probably is way easier than checking each app - any hints on existing solutions appreciated.
Ideally I think that should be added as a setting in Orbot, to block all unencrypted connections. Maybe someone would like to submit a feature request:
I wouldn’t recommend using a different browser than Tor Browser (Android) or Onion Browser (iOS) for mobile web-browsing. There is a high chance, you shoot yourself in the foot and end up with a quite unique fingerprint due to add-on and configuration customization. Best is to use Orbot for other applications, as described in Do I need both Tor Browser for Android and Orbot, or only one? | Tor Project | Support.
I wouldn’t use anything related to Tor. I would use VPN instead. There’s a high chance that Tor nodes are swamped with government agencies and malicious actors, if not already.
It’s the same reason I don’t adopt the idea of decentralized VPN yet.
Nevertheless, dVPN would be much safer than Tor, as most probably use dVPN to spoof their location on movie streaming services. They’re probably under the radar of government agencies.
You can’t say the same about Tor. If you want to find illegal activities, the first place you should look at is Tor network, and Tor doesn’t hide the fact that you’re using Tor. You would popup like a golden stick, not among Tor users, but among the whole internet users. You’re effectively reduce your crowd group from billions of users to around 4M. And good luck finding reasons to answer government agencies why you’re using Tor.