[Noisebridge-discuss] Develop for Privacy Challenge

Micah Lee twopointfour at riseup.net
Tue Feb 8 19:51:10 UTC 2011

On 02/07/2011 08:11 PM, Moxie Marlinspike wrote:
> Right now there's no way to use it in the mobile environment (it's a
> firefox addon), but it'd be sweet if someone had the time to drop the
> Android webkit component into an Activity that did the GoogleSharing
> magic as well.  Bundle that up with https-upgrade logic (just a bunch of
> regexps), a socks proxy interface for Tor, and the torbutton logic, and
> you've got a nice little privacy-enhancing browser.

It seems like writing a custom mobile browser that has HTTPS Everywhere,
GoogleSharing, TorButton, and AdBlock would be pretty amazing, but would
also be really hard to do well in our spare time in a couple months.

>>> I also like the idea of gathering as much info that systems give us
>>> (like the phone OS, or the facebook API if you're logged in, etc) and
>>> displaying it to the user so they know how much info they're leaking.
>> I really love this idea, because it's scary to see the amount of data
>> you really put out there.  It could shock a lot of people, in a good
>> way, and lead them to be more mindful.  The question there is how to
>> pull it off...
> The problem you're going to run into is that it's not really possible to
> get in the middle of any of this communication on non-rooted devices.

If we write a web browser we've already MITM'd them, but I'm not sure
how realistic that is.

If we write a web app there's still a lot of information we can get,
especially from facebook.

- we can use the css hack to guess what websites they've visited before
- we can use img tags with onerror to tell if they are currently logged
into various services
- we can look at the user agent and other info to guess what browser/OS
they're running and then add all extra functionality that that browser
allows (especially for iOS's Mobile Safari)
- we can make a facebook Like button too, and after they like it we can
display back to them all the basic information that's in their facebook

We could also have a part of the web app that's a web-based proxy that
uses HTTPS Everywhere rules, and another web-based proxy that goes
through Tor. So you could go to:


The problem of course is if it's actually using https we can't
auto-change the links for them to continue using the proxy, but if it's
all in a frame we might be able to use javascript to do that?

I think I'm leaning towards the web app because it sounds less
frustrating and and more likely to be really awesome. What do you think?


More information about the Noisebridge-discuss mailing list