[Security Advisory] Lack of Protection Against Replay Attacks in shadowsocks-windows' Implementation #3118
Comments
|
实际上,对于针对客户端的 而我在 shadowsocks/shadowsocks-org#183 中提到的 移花接木问题,属于 SS 协议长期的设计缺陷,目前任何实现都无解。 |
|
Nicely posted, im looking forword to seeeing more from you |
|
我提过一个建议在生成IV时加入时间戳因子,减少记录表大小。shadowsocks/shadowsocks-org#150 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Impact
Medium
Details
Due to the absence of an IV filter in our Shadowsocks client implementation, shadowsocks-windows is subject to replay attacks that could potentially be used to identify the existence of the Shadowsocks client or server.
Lack of replay protection on the client side is not as severe as it is on the server side. But we still consider it a basic requirement for Shadowsocks client implementations.
Related Information
Affected Versions
All versions.
Resolution
We advise that users switch to implementations with an IV filter in place, such as shadowsocks-rust, and go-shadowsocks2. V2ray, Xray, and clash are known to not have the necessary protection, and therefore should not be used to interact directly with a Shadowsocks server.
Since we can barely keep up with what we've planned for version 5, we are considering switching to shadowsocks-rust as the default backend in our next major release. Shadowsocks-rust is being actively maintained, and has been used by shadowsocks-android as the backend since last year. I have recently done some benchmarks on several client implementations, and the results show good performance with shadowsocks-rust that we could've never reached on .NET.
The text was updated successfully, but these errors were encountered: