APT-ZERO
commented
11 months ago idk much about cert chains, but maybe it be possible to use it's fingerprint? if there be no security risk for it.
If it be possible, then users can change client's SNI to anything they want with no need to enable allowInsecure and any risk
RPRX
Hello, Today we can't use self-signed certificate for *ray because of MITM attack risk. Even if we accept the risks, still we can't use it because can't enable allowInsecure using the proxy sharelink. In Desktop and Android clients use must allowInsecure for all configs in global settings, that is a huge risk! And in iOS free clients there is no option for it in global setttings and
&allowInsecure=1in configs are ignored!There is a way to use a self-signed certificate with no security risk, and that is 'self-signed certificate + public key pinning' We can create a self-signed certificate, get it's SHA256 hash and put it in our config!
+ MITM attack will not be possible + Sharelinks will be still short with a SHA256 hash + No need to buy any domain name. + Can use firewall's SNI whitelist (many users are using VLESS/VMESS with no TLS!, they can use this instead.) + Can use random SNI for each user. we don't know how exactly firewall works, so it has a possibility of being beneficial. + Has no limits of Xray-core's REALITY limits. + ...
Currently there this option is not there in no core or client. but if they add it, then no one will want to use allowInsecure
What do you think about it?