Comments (7)
I implemented my proposed equivalent as a pair of pre-shared stream prefixes in shadowsocks-go. To enable this feature, specify the prefixes in base64 encoding as "unsafeRequestStreamPrefix"
and "unsafeResponseStreamPrefix"
in server and client config.
A simple example of pretending to be a dead HTTP parrot:
printf 'GET / HTTP/1.1\r\nHost: localhost\r\n\r\n' | base64
R0VUIC8gSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KDQo=
printf 'HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n' | base64
SFRUUC8xLjEgMjAwIE9LDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo=
Then you can add:
{
"unsafeRequestStreamPrefix": "R0VUIC8gSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KDQo=",
"unsafeResponseStreamPrefix": "SFRUUC8xLjEgMjAwIE9LDQpDb25uZWN0aW9uOiBjbG9zZQ0KDQo="
}
If you are feeling generous, configure a fallback address:
{
"unsafeFallbackAddress": "[::1]:80"
}
Now the stupid firewall you have been trying to bypass might actually let you through!
from shadowsocks-org.
I think it was added as a temporary workaround. I do agree that people should be better informed about its negative effects in the long term.
from shadowsocks-org.
I decided to add it into shadowsocks-rust was just for allowing users to "test" whether this strategy would help for preventing servers to be detected. I do agree that this is not a perfect solution and possibly increases the risk of servers to be detected by adding identities. It is Ok for me to remove it immediately, because it seems that there is no obvious benefit gain from this testing feature.
from shadowsocks-org.
- It does not need to update the client side to get prefix printable chars. It just updated nonce generation.
- for my version, I changed the length of prefix 6 to the whole nonce length printable.
- now TCP can not bypass GFW block with current default version. So my friends are using other tools instead.
But the feature helps me. I looked into the normal tcp stream. and it has a range for prefix bytes. So I just make it the same as some kind of header "/GET /home.index", instead of random nonce salt. It does help.
Anyway. it is your pleasure to remove the code. I have my own branch just for personal usage.
from shadowsocks-org.
Mitigation
Unless it's for testing, I agree it's a mistake to have the circumvention mitigation enabled all the time, as it does make the protocol vulnerable.
However, there's value in making it an opt-in. The assumption in that case is that the server connection is already blocked, so you have nothing to lose by enabling the mitigation.
For Outline, we are not only making it opt-in, but also we'll let the server administrator specify the prefix they would like the user to use in the access key and online config. This way they can be modified quickly as blocking evolves, and the censor won't be able to easily tell what prefixes are being used.
Multi-hop approach
The proposal of adding a new pair of client and server between the original pair is helpful, but often not feasible, as you need to acquire servers on both sides of the firewall. Right now, in Iran, it's hard to pay for servers because of sanctions. Same in Russia.
It also doubles your traffic costs, which is one of the biggest issues for service providers.
from shadowsocks-org.
The proposal of adding a new pair of client and server between the original pair is helpful, but often not feasible, as you need to acquire servers on both sides of the firewall.
It also doubles your traffic costs, which is one of the biggest issues for service providers.
You don't need separate servers for this. Just run the new pair of client and server beside existing ones on the same systems. Some prefer to call it "SIP003 plugins".
Outline's implementation (Jigsaw-Code/outline-ss-server#127) uses part of the salt as the prefix. While I understand the consideration for backwards compatibility, there are quite a few drawbacks:
- The entropy of the salt is reduced.
- The length of the prefix is limited to the salt length.
- Prefix-unaware Shadowsocks servers cannot detect the presence of such prefixes.
For Outline, we are not only making it opt-in, but also we'll let the server administrator specify the prefix they would like the user to use in the access key and online config.
Since server admins are going to have to get involved anyway, why not just put the prefixes ahead of the actual Shadowsocks stream, like my implementation did.
from shadowsocks-org.
It's also trivial to implement the prefix pair as an optional part of the stream: If the server sees the request prefix in the request stream, then the response prefix may be prepended to the response stream. Otherwise it's processed exactly like before. This approach won't break existing prefix-unaware clients, while giving server admins full control of what to use as prefixes.
from shadowsocks-org.
Related Issues (20)
- Feature request: Chain Shadowsocks HOT 1
- [One Idea] IP Geolocation Based Filtering HOT 20
- Ahmadtafreshi HOT 1
- Ahmad
- [Peer Review Request]Restls: A Perfect Impersonation of TLS Handshake HOT 5
- 能支持udp over tcp吗 HOT 1
- 日志文件 HOT 1
- OpenWrt client is not working for me
- 能否申请将Java的实现版本也纳入到官方社区中 HOT 1
- Correct wiki entry for "Setup fail2ban" - a jail config error detected HOT 2
- 社区有没有针对SIP023 relay server 的开发计划 HOT 2
- Cannot make the fail2ban setup guide work with systemd journal
- Non-UI Error. Can't start application
- ss://[email protected]:8388#SIP008%0A%0A HOT 1
- 兼容改版shadowsocks
- feature request: sip003 mux / multiplexing spec HOT 1
- Shadowsocks stopped working
- Add 2022 edition shadowsocks methods support for clients
- QR code with username
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shadowsocks-org.