2020-frolov-httpt
findings extracted from this paper
-
The GFW was observed detecting Shadowsocks servers by sending follow-up active probes after an initial Shadowsocks-sized client message, including permuted replays of the client's message and random-data probes of various sizes up to and exceeding Shadowsocks' unique 50-byte data limit. This defeats shadowsocks-libev's replay cache because the GFW permutes the replayed bytes rather than resending them verbatim.
-
Censys scans of IPv4 HTTPS servers in June 2020 found that over 21% responded to a GET / with 400 Bad Request, 11.19% with 403 Forbidden, 8.62% with 404 Not Found, and 2.91% with 401 Unauthorized. These common error-response distributions provide a statistical baseline that HTTPT servers can match to avoid standing out to active probers.
-
HTTPT prototype performance is comparable to Shadowsocks: median Time-to-First-Byte was 612 ms for Shadowsocks, 844 ms for HTTPT (TLS 1.3, +1 RTT), and 1085 ms for HTTPT (TLS 1.2, +2 RTTs). Bandwidth overhead was approximately 2%: median time to fetch a 100 MB file was 24.65 s for Shadowsocks vs. 25.15 s for HTTPT.
-
HTTPT achieves replay-attack immunity by tunneling over TLS, which incorporates bidirectional nonces (client and server randoms) into key agreement so each connection uses unique cryptographic keys. Censors that replay a legitimate client's observed initial bytes are therefore unable to trigger a proxy response, unlike approaches that rely only on application-layer replay caches.
-
Frolov et al. (2020) found that over 94% of Internet servers respond with data to at least one popular protocol probe, making probe-resistant proxies that remain entirely silent statistically anomalous. Censors can further fingerprint silent proxies by their unique timeout or data-limit behaviors before connection close (e.g., Lampshade closes immediately after 256 bytes of unrecognized data, or waits exactly 90 seconds before timing out).