Open xxyzz opened 1 year ago
faern
commented
1 year ago I don't think our bridge servers currently supports those ciphers. So at the moment it does not help to add support for them in the app. It's also important to realize that the security of the transport channel client <-> bridge is not really important. I describe why here: https://github.com/mullvad/mullvadvpn-app/issues/2070#issuecomment-687027897
xxyzz
commented
1 year ago SIP022 is not only a new cipher, it is also a new protocol with breaking change to defense against active probes according to this comment and the Detection Prevention section in spec. This should provide better obfuscation and better performance. I assume your servers also use shadowsocks-rust, upgrade both server and client to support the new protocol probably is easier to implement than add support of other protocols like v2ray.
faern
commented
1 year ago Our servers run the C implementation of Shadowsocks.
xxyzz
commented
1 year ago shadowsocks-libev's GitHub page says the project is in bug-fix-only mode and development has moved to the rust project. Even though it's bug fix only it seems the project is already abandoned as it's latest release was in 2020. Migrate to shadowsocks-rust probably is better for both server admin and users since it's in active development and supported by the shadowsocks developers.
ChaoticHolon
commented
1 year ago Yep, it's long past time to migrate everything to shadowsocks-rust. Kind of amazed Mullvad has been using the C implementation all this time.
shadowsocks-rust has supported SIP022 ciphers since v1.15.0. The new ciphers fix the security issues in the previous SIP002 AEAD ciphers and also improve the performance according to the spec. It would be great if Mullvad could support these new ciphers.
I find the talpid-core and ralpid-openvpn enable the
stream-cipherfeature in theirCargo.tomlfiles, this feature is marked as unsafe and deprecated in the shadowsocks-rust's README. Is Mullvad app actually using this feature?