Enable support for obfuscation via plugins

[cloudhan]

72 #159 #517 #551 #589 Are all about the same thing. Obfuscation.

So let me clarify what do we mean when we say 'obfuscation'.

Now Alice send a message to Bob. However, the message go through Eve. Eve just throw away the letter and tell Alice that Bob refuse to respond. In this case, a 403 or 404 error for the http request, and Eve is doing what the GFW had been doing.

GFW interrupt your connection instead of attacking you. So in diagram

Fig. 1
.-------.    |     .----------------------.
| Alice +----X---->| Blocked Endpoint Bob |
'-------'    |     '----------------------'
            GFW

That is, conntection to a blocked endpoint is interrupted. A simple proxy server can walkaround this problem.

Fig. 2
.-------.    |                           .----------------------.
| Alice +-+--X-----------------------+-->| Blocked Endpoint Bob |
'-------' |  |                       |   '----------------------'
          |  |   .---------------.   |
          +----->| Proxy Charlie +---+
             |   '---------------'
            GFW

You use proxy as a detour.

Now Eve find this by looking message from Alice, and interrupt connect on both channel.

Fig. 3
.-------.    |                           .----------------------.
| Alice +-+--X-----------------------+-->| Blocked Endpoint Bob |
'-------' |  |                       |   '----------------------'
          |  |   .---------------.   |
          +--X-->| Proxy Charlie +---+
             |   '---------------'
            GFW

Shadowsocks solve this by setting up the Proxy Charlie and using symmetric encryption between Alice and Charlie. That is good, you again return to the case in Fig. 2.

The problem arise when Eve decide that the message between Alice and Charlie is suspicious. E.g. always encrypted message on port 80 on any other non standard ports. So Eve decide that the message is suspicious and he better thrown it away and then realized the action. You again return to Fig.3.

So Alice and Charlie decide to communicate on a always encrypted channel, e.g. port 443. And network traffic seems to be normal now. And Eve let Alice's message go.

Nowadays, Eve has a fancy tool, e.g. some magically trained machine learning model, that statistically detect encrypted network traffic that is abnormal and automatically interrupt the channel or even worse, mark Proxy Charlie as blocked endpoint (maybe temporarily). V2Ray is a plugin on top of Shadowsocks that make the encrypted message as normal HTTPS payload (maybe others, IKW...), and invalid Eve's fancy tool. That is all about obfuscation: pretends to be normal.

[fortuna]

It's not about using plugins, it's about using a different protocol. Let's name it right. Not only a different protocol, but it has to be one that is widely used. And it's also not about obfuscation. We can't pretend to be a protocol, because that's easy to spot. You have to actually use the protocol. And you can't roll your own implementation. You have to reuse an existing one, because you can also fingerprint the implementation.

I like the idea of using something over HTTPS. Web Proxies is one such protocol. However, it doesn't support UDP and the handshake may still be easy to identify. It's still probably a good alternative. However, there are many other factors that can give you away besides the protocol. High port numbers for example. Or sending all your traffic to a single IP address. A different protocol won't necessarily address that.

[fortuna]

Can you provide a detailed characterization of how an Outline setup gets blocked? How long does it take? How is the blocking implemented (TCP RSTs? Packet dropping? Ip-port pair? Ip-only?) Does the number of users make a difference? Does it still get blocked if you use a client that supports selective proxying? How long does it take to get unblocked? Is it in all ISPs?

[cloudhan]

What about websocket？I'm not a network guy so I am not very sure if I understand it correctly. V2Ray supports it. Perfectly example of actually using a widely used protocol.

My server used to be temporarily inaccessible after I open some YouTube video (god dammit, just want to watch some lecture...). But the pattern is quite random. The blocking is implemented, I guess, IP-port pair, because I can ssh into my server and ping it at the moment, not quiet sure. I am actually using selective proxying. It might take 10min or half an hour to get unblocked. But the traffic then will be quiet unstable and can easily get blocked again if reusing. Maybe after a few days, it became normal. Then after some extensive usage, same happens.

Having got fed up, so I set v2ray over my SS server and now the connect is much smoother. I cannot prove the paper to be wrong, but the plugin thing is useful at the moment. Asking for v2ray support is because ontline seems to be the only free client on iOS (free is quite important, because normally Chinese user don't have payment method for foreign app store). I am using another client now.

[Omoeba]

The only real con of websocket is difficulty of setup as you need a full-fledged webserver i.e. nginx. But once you set it up it is nearly impossible to block and might even get a speed boost from TLS1.3, h2 and in the future, http3 (QUIC).

[InvisibleRain]

There's no need for a standalone web server. You can spin up a shadowsocks server with websocket obfuscation in just 3 commands on a fresh vm https://hub.docker.com/r/yunielrc/shadowsocks-rust-server

[falahati]

Considering that Outline is now advertised to Iranian users by opening Google on the front page of the search engine this is now a very good time to implement this.

Currently, I have a server that runs the vanilla shadowsocks and it seems to be blocked by the DPI system as the following error message is printed over and over for every connection made:

 2022-10-03 22:14:44 ERROR: remote recv: Connection reset by peer
 2022-10-03 22:14:59 ERROR: server recv: Connection reset by peer
 2022-10-03 22:15:05 ERROR: getpeername: Transport endpoint is not connected

Which seems to indicate a rule to drop the connection after the handshake. Altho I understand Outline is a little different since it is still based on the same protocol I expect it to be recognizable too.

Please note that in the current situation in Iran, designing a new protocol does not help. It is not about detecting Outline and blocking it but rather detecting unusual traffic and blocking it. It is more of a white-list situation here. So the target should be obfuscation rather than encryption. Acting like HTTP traffic or HTTPS traffic or something similar to hide the fact that this is anything else than normal internet usage. There are plugins for shadowsocks, but as the best client for iOS, just enabling a plugin on the server without being able to connect to it via Outline is useless.