Comments (7)
from shadowsocks-org.
a) 16 bytes overhead means 16 / 1492 (typical chunk size if MSS = 1492) ~= 1% bandwidth loss. I doubt the overhead is even notable in the real world.
b) The approach of OpenSSH doesn't look good to me, especially the two separate ciphers.
c) Since SIP004 is already finalized, I prefer to not changing AEAD ciphers, unless there is any security concern.
I suggest to do more research for any new AEAD cipher that would solve the chunk length issue internally.
from shadowsocks-org.
I have seen similar construction in obfs4, although obfs4 uses a strange (maybe invented by itself) stream cipher.
Maybe we can drop the length tag, ignoring the authenticate error of the length field, and include the length as Associated Data in payload part. However I'm not sure whether the encryption library allows us to do this.
from shadowsocks-org.
And as the protocol is frequently modified I think we must mark the stability on website.
from shadowsocks-org.
Maybe we can drop the length tag, ignoring the authenticate error of the length field, and include the length as Associated Data in payload part. However I'm not sure whether the encryption library allows us to do this.
It won't work. By definition AEAD ciphers will refuse to decrypt if authentication fails so as to avoid providing a decryption oracle to attackers.
from shadowsocks-org.
I think the question is a) whether 16 bytes overhead per chunk is acceptable and if not b) should we adopt similar design like the one used in OpenSSH.
from shadowsocks-org.
I agree. The OpenSSH design leaves the possibility open that adversaries can control the obfuscated length field. Even though it does not pose any security threat because the payload is still AEAD-protected, I wonder if it exposes timing characteristics that might enable attacks similar to @breakwa11's to identify the protocol we use.
from shadowsocks-org.
Related Issues (20)
- SIP022: Shadowsocks 2022 Edition HOT 33
- 弱弱的问一句,啥是SIP? HOT 4
- after changing to portable mod, even when I disable the proxy there is no change
- Feature request: Chain Shadowsocks HOT 1
- [Security] Do not engineer vulnerabilities into implementations without public discussions HOT 7
- [One Idea] IP Geolocation Based Filtering HOT 20
- Ahmadtafreshi HOT 1
- Ahmad
- [Peer Review Request]Restls: A Perfect Impersonation of TLS Handshake HOT 5
- 能支持udp over tcp吗 HOT 1
- 日志文件 HOT 1
- OpenWrt client is not working for me
- 能否申请将Java的实现版本也纳入到官方社区中 HOT 1
- Correct wiki entry for "Setup fail2ban" - a jail config error detected HOT 2
- 社区有没有针对SIP023 relay server 的开发计划 HOT 2
- Cannot make the fail2ban setup guide work with systemd journal
- Non-UI Error. Can't start application
- ss://[email protected]:8388#SIP008%0A%0A HOT 1
- 兼容改版shadowsocks
- feature request: sip003 mux / multiplexing spec HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shadowsocks-org.