Comments (4)
I think in theory the TLS state machine in specific implementations will also have identifying information from its state transition.
I guess The Parrot is Dead still holds. I just found the above is not just theory.
Nginx doesn't implement TLS False Start. Chromium does. I tried to add SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ENABLE_FALSE_START)
in Nginx to enable it. Nginx will use False Start but lose the ability of session resumption (because it was caching the wrong session during False Start because it was not implemented with False Start in mind). Chromium is able to do both False Start and session resumption.
This is a dynamic feature in the TLS state machine. This should be fairly hard to detect and not having much discriminating power if detected and I could patch this issue in Nginx, but it shows that imitation is always imperfect and subject to detection.
This is a continuum. If we use the identical binary of Chrome it is a perfect "imitation" and impossible to distinguish but the installation size and performance suffer. On the other side the binary size and performance are great but imperfect imitation is easier to detect.
(There are other unique dynamic behaviors in Chromium: It sends separate TLS requests for OCSP; It starts non-content TLS sessions just to get the session tickets; etc. In the same thought even Trojan using Chrome or Tor using Firefox will have differentiating behaviors from a user using a browser, though that should be hard and expensive to detect.)
I believe continuous updated mitigation should be an acceptable compromise.
Edit:
Tor's meek attempted to use Chrome extensions for proxying TLS connections https://trac.torproject.org/projects/tor/ticket/11393. Chrome extension API creates TLS sockets in extensions/browser/api/socket/tls_socket.cc
but Chrome browser itself creates TLS sockets from net/socket/ssl_client_socket_pool.cc
. The latter has detailed pooling logic (Default to allow up to 6 connections per host
(but kDefaultMaxSocketsPerProxyServer = 32
so just the number of connections can distinguish a user browser vs. a proxy!), TLS 1.3 version interference probe
(dynamically downgrade to TLS 1.2 if TLS 1.3 fails)) and the former does not.
from trojan.
Hi, any progress on OCSP stapling ?
from trojan.
@laoyur This has been excluded from our plan a few years ago.
from trojan.
If trojan is behind nginx as described in #131, should stapling be disabled on nginx?
A more general question: if trojan is behind nginx, should it match as many TLS options as possible with those in nginx? Is failing to achieve that considered leaky?
from trojan.
Related Issues (20)
- trojan fatal error, can't start trojan
- linux版本是否不支持sse长链接?
- Does the Linux version not support sse long links
- [BUG]
- 自建Trojan节点突然不正常了 HOT 3
- [BUG] 使用自签名证书服务端启动失败
- [Question] iOS implementation
- [Feature Request] 翻墙用户到查20年,影响三代! HOT 11
- 关于tls in tls被识别的情况 HOT 5
- 按照教程配置,一直报错”valid trojan request structure but possibly incorrect password“,求解 HOT 3
- [BUG]
- [BUG]
- [BUG]
- [BUG]
- [BUG]
- 请教一下大神,使用privoxy+trojan,让客户端可以使用http代理的问题
- Question: how can I connect to trojan server on linux?
- [BUG] Setting the "verify" field in ssl section to false, but still got cert file not found error.
- why my trojan server got signal: 2 when I start trojan service?
- [Feature Request] Plan to support Zero Copy for network packets?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trojan.