Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Obfuscation plugin support.
See original GitHub issue#72 #159 #517 #551 #589 Are all about the same thing. Obfuscation.
So let me clarify what do we mean when we say ‘obfuscation’.
Now Alice send a message to Bob. However, the message go through Eve. Eve just throw away the letter and tell Alice that Bob refuse to respond. In this case, a 403 or 404 error for the http request, and Eve is doing what the GFW had been doing.
GFW interrupt your connection instead of attacking you. So in diagram
Fig. 1
.-------. | .----------------------.
| Alice +----X---->| Blocked Endpoint Bob |
'-------' | '----------------------'
GFW
That is, conntection to a blocked endpoint is interrupted. A simple proxy server can walkaround this problem.
Fig. 2
.-------. | .----------------------.
| Alice +-+--X-----------------------+-->| Blocked Endpoint Bob |
'-------' | | | '----------------------'
| | .---------------. |
+----->| Proxy Charlie +---+
| '---------------'
GFW
You use proxy as a detour.
Now Eve find this by looking message from Alice, and interrupt connect on both channel.
Fig. 3
.-------. | .----------------------.
| Alice +-+--X-----------------------+-->| Blocked Endpoint Bob |
'-------' | | | '----------------------'
| | .---------------. |
+--X-->| Proxy Charlie +---+
| '---------------'
GFW
Shadowsocks solve this by setting up the Proxy Charlie and using symmetric encryption between Alice and Charlie. That is good, you again return to the case in Fig. 2.
The problem arise when Eve decide that the message between Alice and Charlie is suspicious. E.g. always encrypted message on port 80 on any other non standard ports. So Eve decide that the message is suspicious and he better thrown it away and then realized the action. You again return to Fig.3.
So Alice and Charlie decide to communicate on a always encrypted channel, e.g. port 443. And network traffic seems to be normal now. And Eve let Alice’s message go.
Nowadays, Eve has a fancy tool, e.g. some magically trained machine learning model, that statistically detect encrypted network traffic that is abnormal and automatically interrupt the channel or even worse, mark Proxy Charlie as blocked endpoint (maybe temporarily). V2Ray is a plugin on top of Shadowsocks that make the encrypted message as normal HTTPS payload (maybe others, IKW…), and invalid Eve’s fancy tool. That is all about obfuscation: pretends to be normal.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:11
- Comments:6
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
It’s not about using plugins, it’s about using a different protocol. Let’s name it right. Not only a different protocol, but it has to be one that is widely used. And it’s also not about obfuscation. We can’t pretend to be a protocol, because that’s easy to spot. You have to actually use the protocol. And you can’t roll your own implementation. You have to reuse an existing one, because you can also fingerprint the implementation.
I like the idea of using something over HTTPS. Web Proxies is one such protocol. However, it doesn’t support UDP and the handshake may still be easy to identify. It’s still probably a good alternative. However, there are many other factors that can give you away besides the protocol. High port numbers for example. Or sending all your traffic to a single IP address. A different protocol won’t necessarily address that.
Considering that Outline is now advertised to Iranian users by opening Google on the front page of the search engine this is now a very good time to implement this.
Currently, I have a server that runs the vanilla shadowsocks and it seems to be blocked by the DPI system as the following error message is printed over and over for every connection made:
Which seems to indicate a rule to drop the connection after the handshake. Altho I understand Outline is a little different since it is still based on the same protocol I expect it to be recognizable too.
Please note that in the current situation in Iran, designing a new protocol does not help. It is not about detecting Outline and blocking it but rather detecting unusual traffic and blocking it. It is more of a white-list situation here. So the target should be obfuscation rather than encryption. Acting like HTTP traffic or HTTPS traffic or something similar to hide the fact that this is anything else than normal internet usage. There are plugins for shadowsocks, but as the best client for iOS, just enabling a plugin on the server without being able to connect to it via Outline is useless.