-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancements regarding Trojan Protocol that might be done in the future #13
Comments
I guess The Parrot is Dead still holds. I just found the above is not just theory. Nginx doesn't implement TLS False Start. Chromium does. I tried to add This is a dynamic feature in the TLS state machine. This should be fairly hard to detect and not having much discriminating power if detected and I could patch this issue in Nginx, but it shows that imitation is always imperfect and subject to detection. This is a continuum. If we use the identical binary of Chrome it is a perfect "imitation" and impossible to distinguish but the installation size and performance suffer. On the other side the binary size and performance are great but imperfect imitation is easier to detect. (There are other unique dynamic behaviors in Chromium: It sends separate TLS requests for OCSP; It starts non-content TLS sessions just to get the session tickets; etc. In the same thought even Trojan using Chrome or Tor using Firefox will have differentiating behaviors from a user using a browser, though that should be hard and expensive to detect.) I believe continuous updated mitigation should be an acceptable compromise. Edit: Tor's meek attempted to use Chrome extensions for proxying TLS connections https://trac.torproject.org/projects/tor/ticket/11393. Chrome extension API creates TLS sockets in |
Hi, any progress on OCSP stapling ? |
@laoyur This has been excluded from our plan a few years ago. |
If trojan is behind nginx as described in #131, should stapling be disabled on nginx? A more general question: if trojan is behind nginx, should it match as many TLS options as possible with those in nginx? Is failing to achieve that considered leaky? |
According to some issues, here is a list of improvements to be made to the protocol only if necessary. You are welcomed to contribute to this list.
Since some strategies cannot be proven effective, further discussions are required.
Thank @klzgrad and @micooz for their great proposals.
The text was updated successfully, but these errors were encountered: