Comments (7)
Since this report, we've made a few improvements to Outline to address some possible issues:
-
We added replay protection to servers. That has been running for a few months. It has short memory, but it should be good enough for replays within a few hours or days.
-
On the server-side, we now merge the salt and the initial data in one packet. This makes the size of the first server packet variable: Jigsaw-Code/outline-ss-server#69. This change has been in production for about a month.
-
On the client-side, we merge the salt, SOCKS address and the initial data. This also makes the size of the first client packet variable: Jigsaw-Code/outline-ss-server#73
The client change is available in version 1.4.0. The releases for Android and iOS are still under way.
I don't know the impact of those changes on server detection yet. If anyone measures, please let me know! I'd be happy to collaborate.
from bbs.
According to our recent survey, nearly one years past, some popular shadowsocks implementation:
- ss-rust
- v2ray - they fixed a simillar problem in vmess part (mentioned in #36) and forgot it's shadowsocks part
- ss-java - not so popular, I was busy at other implementation and forgot to notify it...
- gost - not confuse with https://en.wikipedia.org/wiki/GOST_(block_cipher), this project is a v2ray-like tool
- glider
- brook - although it's not exactly shadowsocks
were still vulnerable, they just didn't know this problem. We notified most of them and they've fixed it. They're listed here because we only investigated them and ALL of them has exactly same problem. (See shadowsocks/shadowsocks-rust#292 (in Chinese)).
There's only one true obfs4. But There are just too many shadowsocks. Most of them never know this place. Most of them never known by this place.
from bbs.
If you run a Shadowsocks server, you can check for evidence of active probing in the log. In the shadowsocks-libev implementation, look for log messages like this:
crypto: stream: repeat IV detected
ERROR: failed to handshake with X.X.X.X: invalid address type
crypto: AEAD: repeat salt detected
ERROR: failed to handshake with X.X.X.X: authentication error
The repeat IV
and repeat salt
lines come from "1. Identical replay" probes. shadowsocks-libev has a filter to prevent identical replay, but other implementations do not. invalid address type
and authentication error
will result from non-identical replay or random probes. invalid address type
is from Stream ciphers (aes-128-ctf, aes-128-cfb, etc.); it means that the Shadowsocks server tried to decrypt the active probe, but after decryption it was not a well-formed proxy request. (Sometimes, by pure chance, a probe does decrypt to a well-formed proxy request, and the log contains a connect to
message with an apparently random IP address and port number.) authentication error
comes from AEAD ciphers (chacha20-ietf-poly1305, aes-128-gcm, etc.); it happens because the active probers do not know the Shadowsocks server password and cannot accidentally produce a valid ciphertext.
from bbs.
some popular shadowsocks implementation ... were still vulnerable, they just didn't know this problem.
Thank you for reporting this, @studentmain. We have been preparing a short post to better convey our research findings to both users and developers. And we hope it will help.
Most of them never know this place. Most of them never known by this place.
We agreed. And that's why we sincerely appreciate people like you who have been helping strengthen the communications in our community. We will do our part as well and let's see.
from bbs.
We (Qv2ray project) are planning a user-friendly vulnerability scanner. We think if frightened user can check problem easily, developer will know it.
from bbs.
We (Qv2ray project) are planning a user-friendly vulnerability scanner.
That's awesome! FYI, we have released a prober simulator that can simulate replay-based and random probes sent by the GFW.
from bbs.
For Outline we wrote unit tests that does the probing, which I found very useful: https://github.com/Jigsaw-Code/outline-ss-server/blob/4f3ce4d267289789f2441ac6f93cd5ac765efbf8/service/tcp_test.go#L376
from bbs.
Related Issues (20)
- I have my own VPN application, and I published it in the app markets. What is the difference between LTE and Home internet? HOT 3
- Snowflake, a censorship circumvention system using temporary WebRTC proxies (USENIX Security 2024) HOT 3
- Bleeding Wall: A Hematologic Examination on the Great Firewall (FOCI 2024)
- Assistance Needed to Bypass Restrictions on Irancell Network HOT 5
- VPN blocking in Myanmar since 2024-05-30 reportedly implemented by a Chinese company, Geedge Networks HOT 6
- Is TLS fragment available in China? HOT 1
- Firefox Add-ons blocks access to some proxy extensions from Russia HOT 6
- vmess://
- Is it possible to implement a man-in-the-middle (MITM) tool to bypass censorship? HOT 11
- ss://
- Issues with Trading & Banking Apps and Google Services HOT 6
- Free livestream of FOCI, PETS, and HotPETs, 2024-07-15 to 2024-07-19 HOT 4
- Russia forces Apple to remove dozens of VPN apps from App Store HOT 5
- Turkmenistan:"Internet amnesty? 3 billion IP addresses, hosting and CDNs unblocked" (2024-07-17)
- Looking at the Clouds: Leveraging Pub/Sub Cloud Services for Censorship-Resistant Rendezvous Channels (Update)
- 使用Google新部署的W开头的中间证书签发的网站在TLS 1.2下100%阻断 / Sites issued with Google's newly deployed intermediate certificates starting with W are 100% blocked under TLS 1.2 HOT 7
- Throttling→blocking of YouTube in Russia, 2024-07-12 HOT 10
- Security Notions for Fully Encrypted Protocols (FOCI 2023) HOT 1
- shadowsocks 用户将被套杀,提前准备备用VPN / Shadowsocks will get killed, prepare a backup VPN in advance HOT 3
- Cbs: A Deep Learning Approach for Encrypted Traffic Classification with a Mixed Spatio-Temporal and Statistical Features Classification HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbs.