[FR] add custom domain and tls frag instead of direct download subscribtion #1435
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Feature description
Dear Hiddify Development Team,
In Turkmenistan, internet censorship is extremely strict, with the government employing aggressive measures to block access to various online services and content. The situation includes:
Frequent Domain Blocking: Domains are often and unpredictably blocked, making it challenging for users to maintain consistent access through traditional means.
IP Address Cycling: Static IP addresses, even those associated with major providers like Google, are cyclically banned. This instability renders reliance on static IPs ineffective.
SNI-Based Filtering: The government actively analyzes TLS handshakes to intercept the Server Name Indication (SNI), leading to the blocking of connections based on the SNI value.
DNS Interception: DNS queries are intercepted and manipulated, rendering traditional DNS-based circumvention methods ineffective.
These aggressive tactics necessitate more advanced and adaptable solutions to help users bypass censorship and access the open internet.
I propose adding the ability to bind a custom address to the subscription link. This could be implemented in a format similar to:
https://sublink.com/sub/blahblah#address=exampledomain.com&fragmentation=fragmentationParams
Details:
Custom Address (address): Allows users to specify a dynamic domain name instead of a static IP address. This is crucial because static IPs are frequently blocked, whereas dynamic domains can offer more resilience.
Fragmentation Parameters (fragmentation): Enables users to include parameters that control how TLS ClientHello fragmentation is applied, similar to the capabilities in Xray.
Benefits:
Enhanced Flexibility: Users can easily update the domain used for subscriptions without changing the actual subscription link.
Improved Bypass Capabilities: Dynamic domains are less likely to be blocked, and fragmentation adds an additional layer of obfuscation.
Ease of Use: This approach simplifies the configuration process for users in heavily censored regions.
3. Proposal to Add TLS ClientHello Fragmentation to Subscription Links:
Currently, Hiddify employs DNS fragmentation as a method to bypass censorship. I suggest extending this capability by adding TLS ClientHello fragmentation, particularly for subscription links. This enhancement would:
Obfuscate SNI Information: Fragmenting the TLS ClientHello message can prevent censors from detecting the SNI, which is a common method used to block access.
Bypass Deep Packet Inspection (DPI): Fragmentation can help evade detection by DPI systems that analyze packet patterns to enforce censorship.
Integrate Seamlessly: Including the fragmentation parameters in the subscription link allows the client applications to automatically apply these settings without additional user configuration.
Implementation Example:
https://sublink.com/sub/blahblah#address=exampledomain.com&fragmentation=fragmentationParams
fragmentationParams: Specifies the parameters for TLS ClientHello fragmentation, which could be designed to be compatible with existing clients like Xray.
4. Explanation of How This Helps in the Fight Against Censorship:
Implementing these features would significantly enhance the ability of users in Turkmenistan (and similar heavily censored environments) to access the internet:
Reduces the Need for Constant Domain Changes: By utilizing dynamic domains and domain fronting techniques, users can avoid the impractical and costly cycle of frequently purchasing new domains or relying on static IPs that are quickly blocked.
Circumvents SNI-Based Blocking: TLS ClientHello fragmentation obscures the SNI, making it more difficult for censors to identify and block secure connections based on the destination server name.
Mitigates DNS Interception: By allowing the use of custom addresses and fragmentation, users can bypass DNS-based censorship methods, as connections can be established without relying on standard DNS resolutions that are often intercepted.
Enhances Connection Stability: These methods have proven effective even in countries with advanced censorship systems, like China, suggesting they can offer more stable and reliable access in Turkmenistan.
Empowers Users Against Aggressive Censorship: Providing these tools helps level the playing field, giving users practical means to exercise their right to access information despite governmental restrictions.
Conclusion:
The ongoing "cat-and-mouse" game with totalitarian censorship should not reach absurd levels, where users and service providers are forced into a constant cycle of domain purchases and workarounds that only offer temporary relief. By implementing these proposals:
Fundamental Solution: Address the core issues with more robust and adaptable methods rather than temporary fixes.
User-Friendly Approach: Simplify the process for end-users who may not have the technical expertise to navigate complex configurations.
Global Impact: While focused on Turkmenistan, these enhancements can benefit users in other regions facing similar censorship challenges.
I appreciate your consideration of this feature request. Together, we can help users in censored regions regain access to the open internet and exercise their fundamental rights to information and expression.
If you have any questions or require further clarification, please feel free to reach out.
Thank you for your time
The text was updated successfully, but these errors were encountered: