Open xxyzz opened 1 year ago
I don't think our bridge servers currently supports those ciphers. So at the moment it does not help to add support for them in the app. It's also important to realize that the security of the transport channel client <-> bridge
is not really important. I describe why here: https://github.com/mullvad/mullvadvpn-app/issues/2070#issuecomment-687027897
SIP022 is not only a new cipher, it is also a new protocol with breaking change to defense against active probes according to this comment and the Detection Prevention section in spec. This should provide better obfuscation and better performance. I assume your servers also use shadowsocks-rust, upgrade both server and client to support the new protocol probably is easier to implement than add support of other protocols like v2ray.
Our servers run the C implementation of Shadowsocks.
shadowsocks-libev's GitHub page says the project is in bug-fix-only mode and development has moved to the rust project. Even though it's bug fix only it seems the project is already abandoned as it's latest release was in 2020. Migrate to shadowsocks-rust probably is better for both server admin and users since it's in active development and supported by the shadowsocks developers.
Yep, it's long past time to migrate everything to shadowsocks-rust. Kind of amazed Mullvad has been using the C implementation all this time.
shadowsocks-rust has supported SIP022 ciphers since v1.15.0. The new ciphers fix the security issues in the previous SIP002 AEAD ciphers and also improve the performance according to the spec. It would be great if Mullvad could support these new ciphers.
I find the talpid-core and ralpid-openvpn enable the
stream-cipher
feature in theirCargo.toml
files, this feature is marked as unsafe and deprecated in the shadowsocks-rust's README. Is Mullvad app actually using this feature?