One confusing thing I found is that, when I typed in "onion browser" into my iPhone's App Store Search field, three results came back. I found myself not really know which one was truly yours (yours was actually #2 search result). It would have been helpful if, in the screenshots on this page, you showed the logo. The logo is shown in the App Store so that would've made it a slam dunk, easy decision.
Just a heads up: Tormail.net (in the last screenshot) is now Tormail.org. Whoever runs the service was apparently foolish enough to transfer their non-Tor domain to a Russian registrar. It's disappointing that someone who claims to care about privacy doesn't check RSF's press freedom index before choosing a country to register their domain in.
It would be sweet for trusted computing if developers were able to submit source directly to an app store for the app store to compile, sign, and make available along with the binaries.
I’ll make it a priority to allow using bridges. Unfortunately, since Iran is known to block pretty much all Tor access (even regular, unlisted bridges), it may still not work.
Getting around this entirely would require obfsproxy[1] which wouldn’t work on iOS the way I have it set up due to the inability to spawn sub processes. (Tor client, when configured to use obfsproxy bridges, has to spawn an obfsproxy process to handle the obfusctaed traffic.)
For people trying to build, just a few things to know:
I had to install ccache before libssl would compile.
Make sure you build libssl before libevent.
In the icons folder is a install script to download the icons.
Otherwise compiles well. The anonymity of the .onion sites scares me. I have a very strong suspicion that one day SSL (i.e. symmetric encryption with no backdoor) will be illegal in many countries.
Hm, tried to fix the ccache requirement[1][2], but might have botched it. Was using ccache while I was originally developing to speed up the dependency compilation but didn’t intend for it to be a requirement, just an optional speed-up. Will take a look.
This is one of the big problems that most people have with anonymity, but I believe that the freedom of speech is important. If the government has the capability to shut down the scary stuff like child porn, it also has the ability to shut down important stuff like criticism.
These corners of the internet aren't pretty but they play an important role within our society.
It's not the child pornography that is important to society. It's the freedom of speech, and the security that speech has against regulation from the government. Tor is a place where a person can securely make any sort of criticism that they want, and that security is important.
An unfortunate (but unavoidable) side effect of that security is that child pornographers also receive the same security.
Not very sure if this is by design/expected, but capturing packets from a freshly booted iPad seems to indicate that the browser leaks DNS queries and HTTP GET requests when visiting YouTube through this browser. I am transmitting outside the tunnel
1) DNS query to YouTube cache server
2) GET request to Google's servers for /videoplayback
This seems isolated to the QuickTime player only. No other DNS queries or traffic appears to be visible. I suggest you warn users that video playback does not go through the tunnel.
There’s another one (Covert Browser) that’s been in the store since November that’s got a few issues (lack of cookie support, lack of POST support) that render a lot of websites useless.
Generally I don’t think this is (on the face) any worse than a regular third-party browser app: Other apps (games are a great example) are free to implement custom communication protocols and there are plenty of unsavory / underground / illicit websites on the regular internet. Tor has a lot of legitimate and illegitimate uses, but that can pretty much be said of web-based communication in general.
I might have some dependencies that I’ve neglected to mention (since I use homebrew a ton) and I’m trying to nail down the build scripts to be a bit more portable.
It depends who puts it in the store. The author still has all the rights to the software no matter if he puts it under GPL, but puttng it under GPL doesn't give anyone else the right to sell it in the app store.
From what I understand, it’s only GPL that doesn’t work since GPL has some hefty restrictions on even binary redistribution (basically you have to open source ALL of the related bits, not just yours — which you can’t do since every iOS app Apple-provided pieces that aren’t available in source).
For people with Android phones, check out Orbot - https://guardianproject.info/apps/orbot/ - It's Tor for Android. It's an incredibly well polished app. If you have root, it will let you individually and transparently torify any app. If you don't have root, individual app will need to support socks proxies in order to go through Tor.
It supports bridges, and it will even let you run a relay and/or hidden service directly from your phone.
I've had this idea for a while now of building an SMS-like app that runs entirely over hidden services for users with Orbot installed. If I send you a message this way, nobody knows that you received one, that I sent one, or what the message contained, and it wouldn't require me to set up any server infrastructure as it would be entirely peer to peer over Tor.
What exactly do you consider slow? Most recently I was getting a consistent 500kB/s downstream on my laptop [edit: while grabbing some rather large PDFs, so continuous downloading]. I've yet to give it a go on iOS.
Perhaps it's gotten better lately, but I found browsing with Tor last time I did it to be painfully slow, with some pages taking forever to load. Didn't run a speedtest, though.
In general, your experience with Tor/Onion routing, will be wholly dependent upon the path setup for your requests. I've been using Tor on and off for years, sometimes experiences are good, sometimes they aren't.
If you are looking for a general approach to obscure your browsing from an employer's network, but don't need the whole feature set of Tor, you are better off setting up a proxy to a remote machine. If you truly need the greater anonymizing of Tor and are willing to take possible latency / speed impacts, do so. Just don't expect it to be optimal for the first case when doing general browsing.
It is great to see the Onion Browser available so readily/easily.
The latency can be significant for TOR, as your connection is bounced through various hosts all over the world. This prevents a single country from putting all the pieces together. This is what you notice while browsing.
The raw bandwidth on the other hand is usually pretty good (not great, but it's not intended for large downloads anyway as they tax the network...).
TOR is meant for the cases when anonymity trumps convenience.
Exactly. Having a website load slowly is nothing compared to the insides of an Iranian torture cell. For more and more people, this is not a false dichotomy. Tor's speed is not the result of poor engineering; instead it follows from the properties a high-anonymity, low-latency network necessarily has. As users, before we complain about speed, we need to keep this in mind and consider whether we require such protection.
And I have absolutely no problem with that. I'm worried more about usability than convenience. My 3gs takes 6-7 seconds to load HN on 3g; how long would it take using the Tor browser? For someone on a GSM network? If I'm looking to coordinate protests in some oppressive sandy country, is it going to take me 90 seconds to open Twitter, write a tweet, and post it?
Again, I recognize that this is a fundamental consequence of onion routing and Tor is not intended to be used for everyday browsing. I simply wonder how it will handle a low-bandwidth, high-latency network.
Also, as a minor aside, are the mobile handsets themselves used as routing nodes? If not, what would be the consequence of adding a bunch of users to the system who don't participate in routing?
Somewhat slow here in Aus using Telstra 3G, 45 seconds to connect to TOR network and about 7-12 seconds to return search results form DDG. Good app though and am looking forward to browsing in privacy, thanks.
After having the app in the background for a few hours, I tried to use it to browse again but nothing happening. I had to force close the app and restart it to be able to use it. Is this normal and, if not, is this a known issue that is going to be corrected? Edit: in fact, it seems to do this as soon as my phone times out into auto-sleep :/
This is the biggest glaring bug on the app right now.[1] Doesn’t seem to always affect the app (~30% of the time) when backgrounding to another app or if the phone is manually locked, but more regularly (>75%) happens when the phone idle sleeps.
I’m trying to nail this down, but it’ll likely take me some time to find a real fix.
Hey, thanks! I like having this on an "appliance-like" device like the iPad because the app is necessarily self-contained and I don't have to worry about it making system-level changes or unwanted interactions with other software.
Actually: should be available everywhere except France right now. (Selling encryption apps to France apparently requires an "export compliance approval" from the French government, and I haven’t gone through that process yet — primarily because I don't speak French.)
Let me know if that's not the case and I’ll double-check my settings in iTunes Connect.
No need to be sorry — a good reminder that I should mention that somewhere since it’s a strange quirk of legality that affects literally one App Store country. Thanks!
The gist of the law ([0]) is that, unless you only use crypto techniques for authentication and checksumming, you have to document the process and provide the source code to be able to import it.
That's... interesting. I'm French and I had never really heard of that law applied.
They require the source code to be given to the government, yes, among other things.
@mtigas @wilya the process (and forms) is detailed there: http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/con... (in French, obviously)
Happy to give a hand if needed.
According to the FAQ on iTunes Connect you need French export forms only if the app contains:
- any encryption algorithm that is yet to be standardized by
international standard bodies such as IEEE, IETF, ISO, ITU,
ETSI, 3GPP, TIA, etc. or not otherwise published; or
- standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s)
instead of or in addition to accessing or using the encryption
in Apple OS
One confusing thing I found is that, when I typed in "onion browser" into my iPhone's App Store Search field, three results came back. I found myself not really know which one was truly yours (yours was actually #2 search result). It would have been helpful if, in the screenshots on this page, you showed the logo. The logo is shown in the App Store so that would've made it a slam dunk, easy decision.