Next Stop - Ihcblog!
This article mainly analyzes the currently popular Trojan protocol and proposes a better solution based on the characteristics of current man-in-the-middle (MITM) attacks.
The implementation of this solution is ShadowTLS, for which you can find the complete code and pre-compiled binaries on Github.
To hide traffic characteristics, one way is to not expose any features, as with shadowsocks: this type of protocol encrypts the protocol headers for transmission, so no obvious features are observed. The second way is to hide oneself among the crowd, with the simplest method being to masquerade as HTTP or TLS traffic, corresponding to the approaches of simple-obfs and Trojan, respectively.
The first method is now relatively easy to identify. Traffic that does not hit any protocol but has timing characteristics consistent with web traffic can be simply assumed to be of that type. The second approach has become increasingly mainstream in recent years, with the Trojan protocol being the most widely used (simple-obfs, which just adds an HTTP protocol header at the beginning, is too easy to identify and will not be analyzed here).
Trojan aims to encapsulate traffic into normal TLS traffic. Since TLS traffic is encrypted, it’s difficult for a MITM to identify whether the traffic is ordinary web traffic or proxy traffic encapsulated by another layer. To make it more convincing, Trojan also defends against active probing by properly responding when a browser directly accesses the corresponding webpage.
