The current functional features are:
DNSCrypt support!
Now your DNS queries will be hidden from your ISP before you even connect to CS, so unless they're keeping track of all of our DNSCrypt/DeepDNS IPs (which is why you can choose a non-CS DNSCrypt server in v3), they won't even know you're connecting to CS.
While the new version of the widget isn't out yet, all the DeepDNS servers have already been pre-setup with DNSCrypt support. To use this feature, install https://download.dnscrypt.org/dnscrypt-proxy/ and replace their dnscrypt-resolvers.csv with the one at https://raw.githubusercontent.com/crypt ... olvers.csv or https://cryptostorm.is/dnscrypt-resolvers.csv
Another feature is updates via the VPN:
Before, updates were accomplished simply by grabbing https://cryptostorm.nu/latest.txt and checking if the version listed in that file after "LATEST:" is greater than the version you're using. If latest.txt says you're using an old version, a lazy `start https://cryptostorm.nu/setup.exe` was executed, which means your default browser would goto https://cryptostorm.nu/setup.exe. This method sucks for one main reason: If you can't reach cryptostorm.nu, you can't get updates. So if your ISP is blocking requests to cryptostorm.nu, or cryptostorm.nu goes down for some reason, no updates for you.
For v3, I've decided the best alternative method to this is implementing a server-side dummy interface that has a webserver listening on http://10.31.33.7/
that can only be accessed if you're connected to the VPN. On that webserver is the same latest.txt. That means that if you can get on the VPN, you'll be able to get that latest.txt file using the VPN's tunnel instead of relying on plain HTTPs (unless Apache dies on that particular server, which is highly unlikely thanks to a minimal setup + deamontools).Adding onto the above feature is automatic updates of the OpenSSL and OpenVPN files that power the widget. It's still being tested, but the idea is that when, after connected to CS, the widget downloads http://10.31.33.7/latest.txt, it not only includes the latest widget version, but also the latest OpenSSL and OpenVPN (and their library/.dll) versions, then downloads their updates if they're newer than the versions the widget is currently using. The most obvious problem I could see with this idea is that if someone somehow managed to hack into a node and uploads malicious OpenSSL/OpenVPN binaries to this http://10.31.33.7/ webserver, they could gain access to the client's system. So to prevent that, asymmetrical cryptography is used. The widget downloads the updated file to a temp directory, then it downloads that file's sha512 signature. Included with the v3 widget is the public key that will be used to verify the downloaded files signature (along with ossl.exe, a win32 precompiled openssl.exe), as seen in this code:
Code: Select all
my $yayornay = `..\\bin\\ossl dgst -sha512 -verify ..\\bin\\widget.pub -signature ..\\bin\\tmp\\$_[0].hash ..\\bin\\tmp\\$_[0]`;
if ($yayornay =~ /Verified OK/) {
$statusvar = "Downloaded file verified correctly.";
Tkx::update();
}
else {
$statusvar = "File verification failed for $_[0]";
Tkx::update();
unlink("..\\bin\\tmp\\$_[0]");
}
I'm thinking this would also be a good method for updating the widget without requiring the user to reinstall via the setup.exe each time too (i.e., the widget just automagically downloads [and verifies] client.exe for the future versions).
The other major feature is also a bugfix. If the widget is left running forever, eventually the system may enter a suspend/hibernate state. Now there's code that'll detect such an event, and disconnect the widget since all other internet related features of Windows will be disabled during this period anyways, then the widget will reconnect when the system wakes up. The problem before was that when you resume from suspend/hibernate, the widget would complain that it couldn't resolve anything, because the v2.22 widget told the OS to use the DeepDNS IPs for DNS, but on un-suspend/hibernate, those IPs are no longer accessible. So with v3, it'll detect that power state and adjust accordingly.
The rest are mainly minor bugfixes:
If you click the systray icon and the widget main window is already opened, but minimized or not in focus, nothing happens. Now it'll restore focus to the widget.
This one's a bug I'm considering a feature: user connects like normal, goes to options, changes DNSCrypt server, goes back, now they're using 127.0.0.1 (DNSCrypt) instead of the pushed DeepDNS server.
Wireshark says even by doing that the DNS still goes thru the VPN. So I'm not fixing this mistake
Fixed an old bug where if the node list can't be grabbed from https://cryptostorm.nu/nodelist.txt, the drop down node list in the widget would be emptied out (I just needed to undefine a buffer before a certain function).
Fixed an odd window render bug where the if the splash screen is disabled the default Tcl test window would show up before the main widget screen for about a half a second. Not really that important, but looks sloppy. Fixed now.
Fixed that occasional bug where some users get an Options window that's a square (which hides buttons etc.) instead of the intended rectangle.
Fixed the bug where if the widget can't update the node list, any further attempts to try to do so would fail (a buffer needed to be cleared).
Even more minor GUI updates include: Changing the text on the main window to code that mimics a hyperlink, so you can click on those text links. Also, since Tk's GIF capabilities are dumb/non-functional, I created some code that'll sorta mimic the visual aspects of a GIF so the world icon looks more animated
ANYWHO
I'm still working on the "update while on CS" code, and I'm debating on whether or not to push the release of v3 even further just so obfsproxy support is included. I dunno yet, if that ends up not taking alot of time to implement, I'll do that. If I find a bunch of problems in implementing obfsproxy, I'll save that for v3.1
...but I like to at least tell myself that even my textbticks mostly relate to actions we've done or are doing, and not just to hot-air "wouldn't it be cool if" hypothesizing). That means we don't do so much of the heavy hype-cycle of things we've long been doing well. Which means we pretty much suck at (conventional) marketing, admittedly. Nobody's really arguing that point, eh? 
