briar issueshttps://code.briarproject.org/briar/briar/-/issues2020-11-18T22:29:19Zhttps://code.briarproject.org/briar/briar/-/issues/1206Install validation2020-11-18T22:29:19ZPratiwirInstall validationThere have been discussions about hardware db keys but these security features of course assume that users have the correct original software on their devices. If this isn't the case then messages could be leaking.
Some general backgrou...There have been discussions about hardware db keys but these security features of course assume that users have the correct original software on their devices. If this isn't the case then messages could be leaking.
Some general background.
Play store, so far as I know, isn't solely located in jurisdictions free of secret court orders, although there are servers for different regions. Distributed software sometimes does vary, depending on the ip address from which it is requested. I have experienced this when doing md5 checks myself.
Play store also has a serious weakness, it works by using google account login, so even if you download over tor you can't be completely anonymous and you will have difficulty creating any google account using tor.
So Play Store might not be advisable if you think you may have been adversely profiled.
In addition there is also the possibility that https can be intercepted and compromised.
https://www.eff.org/deeplinks/2011/10/how-secure-https-today
Either issue might affect users targeted by ip address and not using tor.
Downloading as an apk file at least gives the possibility to check the hash sum. Also downloading over tor will make it difficult for individual users to be targeted.
So, given these considerations, and that apk files may be used frequently I think it is probably important to have file hashes readily available on a website. Will this be the case?
I am also wondering if there is a way to do an application integrity check from a console as root? Perhaps a small script could be available for this purpose? System file checks can be a good added level of security. I would like to think the application could do this automatically for all users, but it seems this might be difficult to guarantee, and the only really secure way would be via the console. Has anyone any ideas on this?https://code.briarproject.org/briar/briar/-/issues/1209Unable to add users with Samsung galaxy S8 as contacts2020-11-18T22:17:31ZJoshUnable to add users with Samsung galaxy S8 as contactsI have a OnePlus 3 and I am able to add anyone as contact unless they have a galaxy S8. I have tried pairing via Bluetooth, rebooting both phones, nothing gets the process to work.
Both people can be added as contacts if the invite feat...I have a OnePlus 3 and I am able to add anyone as contact unless they have a galaxy S8. I have tried pairing via Bluetooth, rebooting both phones, nothing gets the process to work.
Both people can be added as contacts if the invite feature is used, but then messages can only be sent when we are both online, never in offline mode.https://code.briarproject.org/briar/briar/-/issues/1223Detect whether contact being added is on same wifi network2020-11-18T22:05:45ZakwizgranDetect whether contact being added is on same wifi networkWhen adding a contact in person, it would be useful to be able to detect whether the contact is on the same wifi network. We could do this by including a short hash of the SSID in the QR code.When adding a contact in person, it would be useful to be able to detect whether the contact is on the same wifi network. We could do this by including a short hash of the SSID in the QR code.https://code.briarproject.org/briar/briar/-/issues/1243User testing for image attachments2020-11-18T21:51:14ZakwizgranUser testing for image attachmentsSubtask of #1237.Subtask of #1237.Android 1.3Renata GegajRenata Gegajhttps://code.briarproject.org/briar/briar/-/issues/1266Use OONI data to identify locations where Tor bridges should be used2020-11-18T21:47:03ZakwizgranUse OONI data to identify locations where Tor bridges should be usedThis should be done in a scriptable way so the list can be updated regularly.
Subtask of #647.This should be done in a scriptable way so the list can be updated regularly.
Subtask of #647.https://code.briarproject.org/briar/briar/-/issues/1432Headless integration tests2020-11-18T17:04:10ZTorsten GroteHeadless integration testsWe should add some integration tests for the REST API endpoints to catch breakage.We should add some integration tests for the REST API endpoints to catch breakage.Headless MVPhttps://code.briarproject.org/briar/briar/-/issues/1278Use split APKs to make app available for Android Go2020-11-18T02:38:55ZakwizgranUse split APKs to make app available for Android GoApparently the Play Store doesn't offer APKs larger than 10 MB to Android Go devices. We should provide architecture-specific (ARM and x86) APKs to keep the size below 10 MB.
Idea stolen from Orbot. :-)
https://developer.android.com/st...Apparently the Play Store doesn't offer APKs larger than 10 MB to Android Go devices. We should provide architecture-specific (ARM and x86) APKs to keep the size below 10 MB.
Idea stolen from Orbot. :-)
https://developer.android.com/studio/build/configure-apk-splitshttps://code.briarproject.org/briar/briar/-/issues/1283improve password strenght indicator2020-11-18T02:34:08Zwugacohaimprove password strenght indicatorright now if you insert 1234567890 as your password the stenght indicator shows a long green bar, which reassures the user that the password is not weak..which is not the point. The indicator should be improved (KeepassX shows such stren...right now if you insert 1234567890 as your password the stenght indicator shows a long green bar, which reassures the user that the password is not weak..which is not the point. The indicator should be improved (KeepassX shows such strength if you add symbols and letters).https://code.briarproject.org/briar/briar/-/issues/1285Support OPML feeds2020-11-18T02:31:16ZakwizgranSupport OPML feedsA user asked for the ability to import OPML feeds as well as RSS. It looks like ROME has a module for OPML: http://rometools.github.io/rome-opml/A user asked for the ability to import OPML feeds as well as RSS. It looks like ROME has a module for OPML: http://rometools.github.io/rome-opml/https://code.briarproject.org/briar/briar/-/issues/1287Design update2020-11-18T02:29:31ZAllan NordhøyDesign updateSaw the interest in having some design done on OSD, couldn't make screenshots, so in writing for the time being.
Made a little list of my thoughts on getting things up and running.
Would be really nice to have one screenshot of everythi...Saw the interest in having some design done on OSD, couldn't make screenshots, so in writing for the time being.
Made a little list of my thoughts on getting things up and running.
Would be really nice to have one screenshot of everything to work with,then i could make a big image of it showing how different tasks are pieced together.
This is setting up stuff:
---
**Screen 1**
s/Welcome to Briar/Welcome/
! Put small logo top center
! Remove infotag
Username (in gray)
> ______________________ x ← red underline, turns green whenever the required amount of char has been entered
"Shown next to any content you post. Can not be changed."
// throw error message if illegal chars are entered
Password (in gray)
> ______________________ x
Can be changed from settings.
---
**Screen 2**
s/Choose a password/Password/
* Pick a secure password you remember (in gray)
> ______________________ ← starts out as a red line, progresses through the security stages, checkmark
* Confirm (in gray)
> ______________________ ← red line that turns green once matching checkmark
Press Next and passwords aren't matching, get error message
---
**Screen 3**
s/Background connections/Permissions
Access BT settings
> ______________________ ✓
Control vibration
> ______________________ ✓
Full network access
> ______________________ ✓
Pair with BT devices
> ______________________ ✓
Prevent phone from sleeping
> ______________________ ✓
View network connections
> ______________________ ✓
View Wi-Fi connections
> ______________________ ✓
Take pictures and video (moved here instead of being in the add contact dialog) (F-droid does not say "record" video.)
> ______________________ x s/Allow connections/Grant/
battery optimization exception.
> ______________________ x [Grant]
Needed to stay connected in the background
Same green underline when OK, red when not. checkmark
s/CREATE ACCOUNT/Create account/
--
**Screen 4**
s/add a contanct/Adding contacts/
This should be the landing page when having done the setup. (?)
--
Add "about" field in settings with license, contributors, where to find code, and translation platform.
There is a huge amount of polishing that can be done in other areas, and I thought this was a good start.https://code.briarproject.org/briar/briar/-/issues/1290Replying in ThreadListActivity does not highlight post when using hardware ke...2020-11-18T02:25:34ZTorsten GroteReplying in ThreadListActivity does not highlight post when using hardware keyboardI noticed this in an API 15 Android emulator which uses the hosts' hardware keyboard. Steps to reproduce:
1) Open a forum or private group thread
2) Add a message
3) Click the reply button on that message
Expected behavior: Message tha...I noticed this in an API 15 Android emulator which uses the hosts' hardware keyboard. Steps to reproduce:
1) Open a forum or private group thread
2) Add a message
3) Click the reply button on that message
Expected behavior: Message that is being replied to is scrolled up and highlighted. EditText hint changes to reply.
Observed behavior: Only EditText hint changes to reply.
This is because the code uses `OnKeyboardShownListener` to highlight the message. But this isn't called when using a hardware keyboard.https://code.briarproject.org/briar/briar/-/issues/1299Unable to add contacts: IP address is not in LAN2020-11-18T02:17:29ZakwizgranUnable to add contacts: IP address is not in LAN* Android version: 5.1.1
* Phone model: Nubia NX512J
* Briar version: 1.0.3 (e83d8bb)
* User feedback: "Add contacts does not work."
```
"Bluetooth address" : "90:[scrubbed]:1D",
"Bluetooth address from settings" : "90:[scru...* Android version: 5.1.1
* Phone model: Nubia NX512J
* Briar version: 1.0.3 (e83d8bb)
* User feedback: "Add contacts does not work."
```
"Bluetooth address" : "90:[scrubbed]:1D",
"Bluetooth address from settings" : "90:[scrubbed]:1D",
"Bluetooth status" : "Available, enabled, connectable, not discoverable",
"Mobile data status" : "Available, enabled, not connected",
"Wi-Fi Direct" : "Supported",
"Wi-Fi address" : "37.[scrubbed].223",
"Wi-Fi status" : "Available, enabled, connected"
```
The phone is connected to wifi, but the IP address is not a LAN address.
Possibly related to #699, #1209.https://code.briarproject.org/briar/briar/-/issues/1300Share button for RSS articles2020-11-18T02:15:37ZakwizgranShare button for RSS articlesUser feedback: "Nice RSS-Feature! I miss the "share"-button though. It is not very convenient to only share the link without the title of the article."User feedback: "Nice RSS-Feature! I miss the "share"-button though. It is not very convenient to only share the link without the title of the article."https://code.briarproject.org/briar/briar/-/issues/1308Configurable colours for text balloons2020-11-18T02:03:46ZakwizgranConfigurable colours for text balloonsA user asked for the ability to change the colours of text balloons.A user asked for the ability to change the colours of text balloons.https://code.briarproject.org/briar/briar/-/issues/1337Scroll to bottom when writing new post in private group2020-11-18T01:46:13ZakwizgranScroll to bottom when writing new post in private groupUser feedback: "In private conversations, when you tap the text bar to begin typing and it expands, the message history lifts up as well so that you are still seeing the most recent message above what you are typing. In groups, that is n...User feedback: "In private conversations, when you tap the text bar to begin typing and it expands, the message history lifts up as well so that you are still seeing the most recent message above what you are typing. In groups, that is not the case. When the typing bar expands, it covers the most recent messages and you have to scroll down to see them. I find the behavior in the private conversations more convenient."https://code.briarproject.org/briar/briar/-/issues/1333Screen overlay warning is shown when dismissing dialog2020-11-18T01:44:17ZakwizgranScreen overlay warning is shown when dismissing dialogWhile smoke testing the 1.0.11 release on the Galaxy Nexus (Android 4.3), I saw the screen overlay warning after dismissing the error dialog and tapping the URL text field in the RSS import screen. Perhaps an overlay is used to animate t...While smoke testing the 1.0.11 release on the Galaxy Nexus (Android 4.3), I saw the screen overlay warning after dismissing the error dialog and tapping the URL text field in the RSS import screen. Perhaps an overlay is used to animate the dismissal of the dialog? I wasn't able to reproduce the issue.https://code.briarproject.org/briar/briar/-/issues/1326Prevent old messages from aborting client protocols2020-11-18T01:39:44ZakwizgranPrevent old messages from aborting client protocolsSome client protocols that use an abort message to reset the state machine are vulnerable to a race condition where incoming messages that were already in flight when the abort message was sent are received after resetting, causing furth...Some client protocols that use an abort message to reset the state machine are vulnerable to a race condition where incoming messages that were already in flight when the abort message was sent are received after resetting, causing further aborts. This is harmless if the state machine is still in the start state when the messages are received, but it may cause problems if the state machine has moved out of the start state.
The problem can be avoided by using an abort counter:
* Each party keeps a counter for each other party they sync with
* The counter is part of the session state
* The counter is initialised to zero
* The counter is reset to zero if the other party is removed as a contact
* The counter is included in every outgoing message
* Incoming messages with counters lower than the local counter are ignored
* The counter is incremented after sending or receiving an abort message
If two parties concurrently abort the protocol they may ignore each other's abort messages, but this appears to be harmless: either both will increment their counters once, or both twice.
Client protocols that use abort messages without counters will need to be upgraded to accommodate counters. It may be possible to do this with a minor version upgrade.https://code.briarproject.org/briar/briar/-/issues/1325Use Psiphon when Tor bridges are not reachable2020-11-18T01:38:59ZTorsten GroteUse Psiphon when Tor bridges are not reachableWe have been encouraged to use [Psiphon](https://www.psiphon.ca/) as a circumvention technology.
Here's how to add it:
> - Start the [Psiphon Library](https://github.com/Psiphon-Labs/psiphon-tunnel-core/tree/master/MobileLibrary/Androi...We have been encouraged to use [Psiphon](https://www.psiphon.ca/) as a circumvention technology.
Here's how to add it:
> - Start the [Psiphon Library](https://github.com/Psiphon-Labs/psiphon-tunnel-core/tree/master/MobileLibrary/Android) and get its SOCKS proxy port
> - Configure the Tor client run by Briar to proxy through Psiphon using the "Socks5Proxy" config setting (https://www.torproject.org/docs/tor-manual.html.en)
> - The Tor client traffic egresses from the Psiphon server, connects to a Tor node, and gets to hidden services from there. Psiphon doesn't need to know about the hidden service part.https://code.briarproject.org/briar/briar/-/issues/1321Add backpressure to outgoing duplex sync sessions2020-11-18T01:37:42ZakwizgranAdd backpressure to outgoing duplex sync sessionsDuplexOutgoingSession reads records from the database as quickly as possible and queues them for transmission. If the DB is faster than the transport, this will result in all sendable records being queued. This uses an unbounded amount o...DuplexOutgoingSession reads records from the database as quickly as possible and queues them for transmission. If the DB is faster than the transport, this will result in all sendable records being queued. This uses an unbounded amount of memory and increases the risk of records being lost before they're transmitted, leading to unnecessary retransmissions.
Add a backpressure mechanism that limits the amount of queued data and delays DB reads when the queue is full.
This will be a bit more complex than #1319 because DuplexOutgoingSession can start DB queries in response to events.https://code.briarproject.org/briar/briar/-/issues/1320Add backpressure to incoming sync sessions2020-11-18T01:34:09ZakwizgranAdd backpressure to incoming sync sessionsIncomingSession reads records from the transport as quickly as possible and queues them to be added to the DB. If the transport is faster than the DB, this will result in an unbounded number of records being queued. This uses an unbounde...IncomingSession reads records from the transport as quickly as possible and queues them to be added to the DB. If the transport is faster than the DB, this will result in an unbounded number of records being queued. This uses an unbounded amount of memory, which is a DoS risk.
Add a backpressure mechanism that limits the amount of queued data and delays reading from the connection when the queue is full.