Jigsaw-Code/Intra

Important suggestions to make intra censorship resistant

Amin2460 opened this issue · 2 comments

Amin2460 commented

Hi. This app works like a charm in countries with extreme censorship like Iran . Why? Because it splits the CLIENT HELLO and uses DoH. This combination works great, unless the IP address is directly blocked, not just the hostname.

Now, this method doesn't work for all ISPs in iran. Since intra splits CLIENT HELLO (this is probably the case, because other DoH clients in android are able to ping blocked hostnames but they aren't able to access them, because the SNI is visible to censorship system and the speed is throttled) some ISPs in Iran have started throttling connections that have fragmented (splitted) client hello. And this means, the speed will be heavily throttled when using intra.

Also, there's the issues of TLS FINGERPRINT. You can solve it by utls.

What you can do to fix:
1: implement utls.

It should be very easy to do so.

2: look into the XRAY CORE-REALITY protocol.

It steals the TLS certificate of well known popular websites that can't be blocked, this way you don't need to split the client hello, you can fool the censorship system into believing that you're accessing a legitimate famous website, not a blocked hostname.

But I'd say, if you looked into REALITY protocol and implemented it, don't remove the CLIENT HELLO splitting feature. Let users decide which technique they want to use, in the settings.

Don't forget that this will be very useful for Iranians or any other nations who are living under oppression and media censorship. Help them out

bemasc commented

Hi @Amin2460. This app is currently short-staffed, but if you'd like to contribute uTLS integration please feel free. Note that uTLS integration would only help with usage of DoH servers that are not blocked by SNI.

HX-Technology-LLC commented

I don't think this is feasible, the REALITY protocol requires specific software to be running on the server and configured, if it is not configured ,tls connection can't be created and doh will not work. I think the major doh servers don't have installed specific software to support the REALITY protocol.Maybe change SSL client fingerprint and allow users to disable sni is a better choice