Comments (7)
Since this report, we've made a few improvements to Outline to address some possible issues:
-
We added replay protection to servers. That has been running for a few months. It has short memory, but it should be good enough for replays within a few hours or days.
-
On the server-side, we now merge the salt and the initial data in one packet. This makes the size of the first server packet variable: Jigsaw-Code/outline-ss-server#69. This change has been in production for about a month.
-
On the client-side, we merge the salt, SOCKS address and the initial data. This also makes the size of the first client packet variable: Jigsaw-Code/outline-ss-server#73
The client change is available in version 1.4.0. The releases for Android and iOS are still under way.
I don't know the impact of those changes on server detection yet. If anyone measures, please let me know! I'd be happy to collaborate.
from bbs.
According to our recent survey, nearly one years past, some popular shadowsocks implementation:
- ss-rust
- v2ray - they fixed a simillar problem in vmess part (mentioned in #36) and forgot it's shadowsocks part
- ss-java - not so popular, I was busy at other implementation and forgot to notify it...
- gost - not confuse with https://en.wikipedia.org/wiki/GOST_(block_cipher), this project is a v2ray-like tool
- glider
- brook - although it's not exactly shadowsocks
were still vulnerable, they just didn't know this problem. We notified most of them and they've fixed it. They're listed here because we only investigated them and ALL of them has exactly same problem. (See shadowsocks/shadowsocks-rust#292 (in Chinese)).
There's only one true obfs4. But There are just too many shadowsocks. Most of them never know this place. Most of them never known by this place.
from bbs.
If you run a Shadowsocks server, you can check for evidence of active probing in the log. In the shadowsocks-libev implementation, look for log messages like this:
crypto: stream: repeat IV detected
ERROR: failed to handshake with X.X.X.X: invalid address type
crypto: AEAD: repeat salt detected
ERROR: failed to handshake with X.X.X.X: authentication error
The repeat IV
and repeat salt
lines come from "1. Identical replay" probes. shadowsocks-libev has a filter to prevent identical replay, but other implementations do not. invalid address type
and authentication error
will result from non-identical replay or random probes. invalid address type
is from Stream ciphers (aes-128-ctf, aes-128-cfb, etc.); it means that the Shadowsocks server tried to decrypt the active probe, but after decryption it was not a well-formed proxy request. (Sometimes, by pure chance, a probe does decrypt to a well-formed proxy request, and the log contains a connect to
message with an apparently random IP address and port number.) authentication error
comes from AEAD ciphers (chacha20-ietf-poly1305, aes-128-gcm, etc.); it happens because the active probers do not know the Shadowsocks server password and cannot accidentally produce a valid ciphertext.
from bbs.
some popular shadowsocks implementation ... were still vulnerable, they just didn't know this problem.
Thank you for reporting this, @studentmain. We have been preparing a short post to better convey our research findings to both users and developers. And we hope it will help.
Most of them never know this place. Most of them never known by this place.
We agreed. And that's why we sincerely appreciate people like you who have been helping strengthen the communications in our community. We will do our part as well and let's see.
from bbs.
We (Qv2ray project) are planning a user-friendly vulnerability scanner. We think if frightened user can check problem easily, developer will know it.
from bbs.
We (Qv2ray project) are planning a user-friendly vulnerability scanner.
That's awesome! FYI, we have released a prober simulator that can simulate replay-based and random probes sent by the GFW.
from bbs.
For Outline we wrote unit tests that does the probing, which I found very useful: https://github.com/Jigsaw-Code/outline-ss-server/blob/4f3ce4d267289789f2441ac6f93cd5ac765efbf8/service/tcp_test.go#L376
from bbs.
Related Issues (20)
- GitHub suspended three anti-censorship developers HOT 3
- Possible Cloudflare blocking in Russia HOT 2
- EU.ORG got blocked by GFW recently HOT 15
- Anamorphic Encryption Covert Channels HOT 1
- Thinking about building a covert TCP proxy that's based on DPI. But is it possible? HOT 12
- کانفیگ برای v2ray / v2ray configuration HOT 2
- "Anti-fraud" (反诈) spyware apps, phone inspections in China HOT 12
- National Anti-Fraud Center based plugins allegedly found in residential FTTR modem in China. HOT 3
- PowerTunnel HOT 3
- CN4Iran 2.0
- China-Linked 'Muddling Meerkat' Conducts DNS Hijacking for Internet Mapping HOT 3
- REALITY servers in Iran being abused as sort-of SNI proxies HOT 2
- CensorWatch: On the Implementation of Online Censorship in India (FOCI 2023)
- Some IP addresses used for DNS censorship in India HOT 3
- Defense against AI-guided Traffic Analysis (DAITA)
- Blocking of fully encrypted protocols (Shadowsocks, VMess) in Russia, targeting HTTPS traffic fingerprints HOT 12
- Blocking of *.pages.dev in Russia HOT 4
- I have my own VPN application, and I published it in the app markets. What is the difference between LTE and Home internet? HOT 1
- Snowflake, a censorship circumvention system using temporary WebRTC proxies (USENIX Security 2024) HOT 1
- Bleeding Wall: A Hematologic Examination on the Great Firewall (FOCI 2024)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbs.