TelegramMessenger / MTProxy

5.01k stars 831 forks source link

Thanks for TLS! implement HTTPS as well. #324

Open FreedomPrevails opened 5 years ago

FreedomPrevails commented 5 years ago

First thanks for implementing the TLS, I am the first person asking for this in issue #35 more than a year ago. So please give the credit where credit is due and I hope you listen to my next suggestion. The implementation of TLS will hopefully resolve the detection of the mtproxy servers by DPI systems, but it doesnt resolve another issue which is not technical at all but economical. Because MTProxy doesnt support authentication the only incentive for providers is to use sponsored channels feature and share their proxies as much as possible in public channels. Now if I was an adversary, I would write a program to join such channels and pick up those IPs and block them ! easy ! no DPI required. The solution for this is to provide an economical incentive for providers to sell private proxies to users and this requires authentication. I know providing authentication is hard and complicated in MTProxy and probably out of the scope of your mission. But you already support HTTP transport with authentication in telegram clients, if you only add HTTPS transport, there are tons of solutions out there that can be used to provide commercial secure private telegram proxies to the users. no changes in your servers or mtproxy is required. and best of all, it natively supports TLS so it is not detectable.

Edit : I know this issue is not related to mtproxy and is related to telegram clients. but as I have no other way to contact telegram devs, I posted it here.

sahareh commented 5 years ago

you can create multiple secrets and run the program with multiple secrets. then you can sell each secret to a person

FreedomPrevails commented 5 years ago

@sahareh Thanks for your suggestion, but it is not possible for a couple thousand users ;) I need radius authentication.

seriyps commented 5 years ago

It will be possible with new protocol, because of TLS SNI

seriyps commented 5 years ago

Well, and here is the example of how could you add authentication using this new protocol: https://github.com/seriyps/mtproto_proxy#personal-proxy--multi-secret-proxy

FreedomPrevails commented 5 years ago

@seriyps What you are proposing is not authentication, at best it is just a hack to demotivate the users from sharing their proxy link and it is not practical on enterprise setups. https://en.wikipedia.org/wiki/Authentication Telegram supports useless HTTP proxy which provides zero security and no censorship resistance. It helps a lot if they offer HTTPS proxy. It resolves a lot of issues from censorship resistance to enterprise authentication.