Trusting domain vs HTTP block

[opk12]

I cannot block port 80 while trusting a domain. Also, a trust rule for my_domain_here.com:80 seems ineffective, but the GUI accepts it.

1. Turn on the option to disable port 80 (insecure HTTP).
2. Open the Rethink settings for the browser and trust a domain.
3. Now I can connect to the domain at port 80.
4. Remove the trust rule.
5. Tap the + button and type a rule for my_domain_here.com:80.
6. The app can not connect to port 80, but the Rethink GUI accepted the syntax silently.

What about changing the logic to block the port 80 even if there is a trust rule? Then the app could introduce support for the syntax domain.com:80, to whitelist the port.

[ignoramous]

Essentially, the ask is to support port-numbers for domain rules?

[opk12]

1. Trusting a domain should not allow the port 80, if the Universal rule to forbid port 80 is enabled.
2. Supporting port numbers for domain rules.

[ignoramous]

Trusting a domain should not allow the port 80, if the Universal rule to forbid port 80 is enabled.

We've implemented this in v055l. Please test and let us know.

Supporting port numbers for domain rules.

We are in two minds about supporting this. There are no technical issues here but just that enforcing a domain name rule with no port number will have to behave drastically differently than when specified with a port number[^g], which might confuse users.

[^g]: Port numbers are not known at domain name resolution time and hence these rules would always have to be applied at connection time (unlike other block / deny domain rules which are applied at DNS resolution time).

[opk12]

We've implemented this in v055l. Please test and let us know.

Thank you very much. I will update as soon as it lands on F-droid.

Supporting port numbers for domain rules.

I wrote this for completeness while bug-reporting, but I do not need this personally. I was thinking in general about any users that potentially relied on the domain rule allowing port 80 and now (since v055l) will have no way to access port 80.

[opk12]

We are in two minds about supporting this. There are no technical issues here but just that enforcing a domain name rule with no port number will have to behave drastically differently than when specified with a port number, which might confuse users.

OpenSnitch has one single list of rules (screenshot 1). A rule can provide an IP, and/or domain, and/or port, and/or app, ...

Although the name sounds like "allow google.com" for ease of reading, the rule is a generic predicate (operator_data) over the properties of interest (column operator_operand) and the editing window allows to mix properties (screenshot 2; JSON in the last line in screenshot 3). For example, I can mix IP and domain. I think it's a matter of time before the user requests for Rethink reach that point.

It seems that OpenSnitch has already encountered the problem that similar-looking things behave differently, but I do not know how they deal with it exactly. For Rethink, maybe one list of rules, and a colored badge on each rule, to self-identify as "triggered at the DNS level" vs connection level.

[ignoramous]

Thanks.

I think it's a matter of time before the user requests for Rethink reach that point.

true, but there's a laundry list of things (enough to keep us busy for 2 years) already left to work on before this particular power-user feature should get implemented? (:

[opk12]

I updated to v0.5.5L from F-droid and rebooted the phone. I set Fennec to Isolated, but unfortunately I can still browse HTTP-only websites that I add to the trust list. I double-checked that the Universal rule is set. I am on Samsung Android 7.1.

[opk12]

This also applies to the IP address: Fennec can connect to my home PC (where I run nc -l 80 or python3 -m http.server) if I add the IP address to the trust list, without typing :80.

[ignoramous]

I set Fennec to Isolated, but unfortunately I can still browse HTTP-only websites that I add to the trust list. I double-checked that the Universal rule is set. I am on Samsung Android 7.1.

Sorry, we undid the change in v055l as we broke the fundamental precedence rule we set for prior versions, which is, domain rules always override IP rules (as some vocally angry users reminded us).

We're thinking of either bringing in domain:port rule or explicit priority numbers for rules (like in Open Snitch).