Stop using insecure ciphers for bridges #2070
Comments
|
The connection between the client machine and our bridges does not really have to be secure in that sense. Their intention is not to provide encryption but rather obfuscation. Everything we send to the bridge is also wrapped inside OpenVPN, which we trust. So we should not even have to trust the bridges, that's part of the design. We could very well just apply XOR to every byte sent to the bridges, if it worked for getting around firewalls and other types of blocks that prevents users from talking directly to the OpenVPN servers. Our bridge servers support more ciphers. So we can investigate whether or not we should enable them in the app. But it's really not important. |
|
I still think it is a bad idea for the app to use a deprecated cipher especially when shadowsocks users are recommended against using it. It's probable the chacha20 code is not even actively maintained. Considering the app and service is privacy/security focused this should be considered a defense-in-depth measure even if it may not be immediately vulnerable to some attacks. Also, what other ciphers does the bridges support? I tried connecting using chacha20-ietf-poly1305 and aes-256-gcm using shadowsocks but both failed to connect. |
All our bridges should allow the following cipher and port combinations:
All ports except 443 should allow both UDP and TCP. 443 is limited to TCP only. |
|
TCP 443 is the most likely to work, from an anti censorship point of view. So the app uses that. But that server only allows chacha20 at the moment. This might change in the future. |
|
Thanks @faern Please do think about allowing only chacha20-ietf-poly1305 and aes-256-gcm as ciphers for the bridges. Links below to a published decryption attack POC on shadowsocks stream ciphers. I don't know if this particular attack is devastating for the way shadowsocks is used here but it is worth reading to make sure. Either way I see very little downside to use only AEAD ciphers for a more secure change. https://github.com/edwardz246003/shadowsocks |
|
@faern Many shadowsocks implementations including the Rust implementation have now deprecated or completely removed insecure stream ciphers support. It would be prudent to switch to using the more secure AEAD ciphers. |
|
Since the latest versions of shadowsocks no longer support |
Bridges are using chacha20 stream cipher which is insecure and vulnerable to decryption attacks when using shadowsocks.
It is recommended to use AEAD ciphers such as chacha20-ietf-poly1305 or aes-256-gcm instead.
https://shadowsocks.org/en/spec/Stream-Ciphers
shadowsocks/shadowsocks-org#36
The text was updated successfully, but these errors were encountered: