Shadowsocks

Last updated

Shadowsocks
Original author(s) Clowwindy
Initial release20 April 2012;12 years ago (2012-04-20) [1] [2]
Stable release(s) [±]
rust1.11.2 [3]   OOjs UI icon edit-ltr-progressive.svg / 24 July 2021; 28 November 2021; 17 December 2021; 22 March 2022; 5 April 2022; 13 March 2023; 23 September 2023; 26 November 2023;Error: first parameter cannot be parsed as a date or time. (24 July 2021; 28 November 2021; 17 December 2021; 22 March 2022; 5 April 2022; 13 March 2023; 23 September 2023; 26 November 2023)
windows4.4.1.0 [4]   OOjs UI icon edit-ltr-progressive.svg / 8 February 2022;2 years ago (8 February 2022)
android5.3.3 [5]   OOjs UI icon edit-ltr-progressive.svg / 7 February 2023;23 months ago (7 February 2023)
X-NG1.10.2 [6]   OOjs UI icon edit-ltr-progressive.svg / 29 March 2023;21 months ago (29 March 2023)
Repository
Written in Python; Rust; C#; Kotlin; Swift; Objective-C; C; Go; C++   OOjs UI icon edit-ltr-progressive.svg
Operating system Unix-like operating system
Microsoft Windows
Android
iOS   OOjs UI icon edit-ltr-progressive.svg
Type communication protocol
free software
Internet censorship circumvention   OOjs UI icon edit-ltr-progressive.svg
Website shadowsocks.org   OOjs UI icon edit-ltr-progressive.svg

Shadowsocks is a free and open-source encryption protocol project, widely used in China to circumvent Internet censorship. It was created in 2012 by a Chinese programmer named "clowwindy", and multiple implementations of the protocol have been made available since. [7] [8] Shadowsocks is not a proxy on its own, but (typically) is the client software to help connect to a third-party SOCKS5 proxy. Once connected, internet traffic can then be directed through the proxy. [9] Unlike an SSH tunnel, Shadowsocks can also proxy User Datagram Protocol (UDP) traffic.

Contents

Takedown

On 22 August 2015, "clowwindy" announced in a GitHub thread that they had been contacted by the police and could no longer maintain the project. [10] The code of the project was subsequently branched with a removal notice. [11] [12] [13] [14] Three days later, on 25 August, another proxy application, GoAgent, also had its GitHub repository removed. [12] [13] The removal of the projects received media attention, with some speculating about a possible connection between those removals and a distributed-denial-of-service attack targeting GitHub which occurred several days later. [15] Danny O'Brien, from Electronic Frontier Foundation, published a statement on the matter. [16]

Despite the takedown, collaborators of the project have continued the development of the project.

Server implementations

The original Python implementation can still be installed using the Pip Python package manager, but the contents of its GitHub repository have been removed. [17] [18] Other server implementations include one in Go, Rust, and C using the libev event loop library; C++ with a Qt GUI; and Perl. The Go and Perl implementations are not updated regularly and may have been abandoned. [18] [19] [20] [21]

Client implementations

All of the server implementations listed above also support operating in client mode. There are also client-only implementations available for Windows (shadowsocks-win), macOS (ShadowsocksX-NG), Android (shadowsocks-android), and iOS (Wingy). [22] Many clients, including shadowsocks-win and shadowsocks-android, support redirecting all system traffic over Shadowsocks, not just applications that have been explicitly configured to do so, allowing Shadowsocks to be used similarly to a VPN. If an application doesn't support proxy servers, a proxifier can be used to redirect the application to the Shadowsocks client. Some proxifiers, such as Proxycap, support Shadowsocks directly, thus avoiding the need for a Shadowsocks client, but some require a client.

Net::Shadowsocks

Net::Shadowsocks is name of the Perl implementation of Shadowsocks protocol client and server available on CPAN. [23]

ShadowsocksR

ShadowsocksR is a fork of the original Shadowsocks project, claimed to be superior in terms of security and stability. Upon release, it was found to violate the License by not having the source code of the C# client available. [24] It was also criticized for its solution to the alleged security issues in the source project. Shadowsocks is currently under development, while development of ShadowsocksR has stopped. [25]

Similar projects

Shadowsocks is similar to The Tor Project's Pluggable Transport (PT) idea. PT makes it hard for Internet Service Providers to detect Tor traffic. They also both use a socks proxy interface. Whereas Shadowsocks is simpler, Obfs4 used in PT is more obfuscated. [26] Unlike Obfs4, Shadowsocks is not resistant to Active Probing. [27] The most similar PT to Shadowsocks is Obfs3.

A more comprehensive framework titled V2Ray adds obfuscation on top of traffic encryption.

See also

Related Research Articles

The Comprehensive Perl Archive Network (CPAN) is a software repository of over 250,000 software modules and accompanying documentation for 39,000 distributions, written in the Perl programming language by over 12,000 contributors. CPAN can denote either the archive network or the Perl program that acts as an interface to the network and as an automated software installer. Most software on CPAN is free and open source software.

The Gopher protocol is a communication protocol designed for distributing, searching, and retrieving documents in Internet Protocol networks. The design of the Gopher protocol and user interface is menu-driven, and presented an alternative to the World Wide Web in its early stages, but ultimately fell into disfavor, yielding to Hypertext Transfer Protocol (HTTP). The Gopher ecosystem is often regarded as the effective predecessor of the World Wide Web.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

<span class="mw-page-title-main">OpenLDAP</span> Implementation of an internet protocol

OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License.

The Invisible Internet Project (I2P) is an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. Anonymous connections are achieved by encrypting the user's traffic, and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world. Given the high number of possible paths the traffic can transit, a third party watching a full connection is unlikely. The software that implements this layer is called an "I2P router", and a computer running I2P is called an "I2P node". I2P is free and open sourced, and is published under multiple licenses.

The Great Firewall is the combination of legislative actions and technologies enforced by the People's Republic of China to regulate the Internet domestically. Its role in internet censorship in China is to block access to selected foreign websites and to slow down cross-border internet traffic. The Great Firewall operates by checking transmission control protocol (TCP) packets for keywords or sensitive words. If the keywords or sensitive words appear in the TCP packets, access will be closed. If one link is closed, more links from the same machine will be blocked by the Great Firewall. The effect includes: limiting access to foreign information sources, blocking foreign internet tools and mobile apps, and requiring foreign companies to adapt to domestic regulations.

<span class="mw-page-title-main">HTTP pipelining</span> Computer communication technique

HTTP pipelining is a feature of HTTP/1.1, which allows multiple HTTP requests to be sent over a single TCP connection without waiting for the corresponding responses. HTTP/1.1 requires servers to respond to pipelined requests correctly, with non-pipelined but valid responses even if server does not support HTTP pipelining. Despite this requirement, many legacy HTTP/1.1 servers do not support pipelining correctly, forcing most HTTP clients to not use HTTP pipelining.

<span class="mw-page-title-main">Git</span> Distributed version control software system

Git is a distributed version control system that tracks versions of files. It is often used to control source code by programmers who are developing software collaboratively.

This page is a comparison of notable remote desktop software available for various platforms.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

In computing, SPICE is a remote-display system built for virtual environments which allows users to view a computing "desktop" environment – not only on its computer-server machine, but also from anywhere on the Internet – using a wide variety of machine architectures.

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction, preventing eavesdropping and forgery by a man-in-the-middle.

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google. It was first implemented and deployed in 2012 and was publicly announced in 2013 as experimentation broadened. It was also described at an IETF meeting. The Chrome web browser, Microsoft Edge, Firefox, and Safari all support it. In Chrome, QUIC is used by more than half of all connections to Google's servers.

<span class="mw-page-title-main">Tox (protocol)</span> Distributed protocol for telephony and instant messaging

Tox is a peer-to-peer instant-messaging and video-calling protocol that offers end-to-end encryption. The stated goal of the project is to provide secure yet easily accessible communication for everyone. A reference implementation of the protocol is published as free and open-source software under the terms of the GNU GPL-3.0-or-later.

The software development platform GitHub has been the target of censorship from governments using methods ranging from local Internet service provider blocks, intermediary blocking using methods such as DNS hijacking and man-in-the-middle attacks, and denial-of-service attacks on its servers from countries including China, India, Iraq, Russia, and Turkey. In all of these cases, GitHub has been eventually unblocked after backlash from users and technology businesses or compliance from GitHub.

<span class="mw-page-title-main">Double Ratchet Algorithm</span> Cryptographic key management algorithm

In cryptography, the Double Ratchet Algorithm is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike in 2013. It can be used as part of a cryptographic protocol to provide end-to-end encryption for instant messaging. After an initial key exchange it manages the ongoing renewal and maintenance of short-lived session keys. It combines a cryptographic so-called "ratchet" based on the Diffie–Hellman key exchange (DH) and a ratchet based on a key derivation function (KDF), such as a hash function, and is therefore called a double ratchet.

<span class="mw-page-title-main">RocksDB</span> Embedded key-value database

RocksDB is a high performance embedded database for key-value data. It is a fork of Google's LevelDB optimized to exploit multi-core processors (CPUs), and make efficient use of fast storage, such as solid-state drives (SSD), for input/output (I/O) bound workloads. It is based on a log-structured merge-tree data structure. It is written in C++ and provides official language bindings for C++, C, and Java. Many third-party language bindings exist. RocksDB is free and open-source software, released originally under a BSD 3-clause license. However, in July 2017 the project was migrated to a dual license of both Apache 2.0 and GPLv2 license. This change helped its adoption in Apache Software Foundation's projects after blacklist of the previous BSD+Patents license clause.

Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration – all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro – which offers Wire's collaboration feature for businesses, Wire Enterprise – includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red – the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.

<span class="mw-page-title-main">Snowflake (software)</span> Anti-censorship software

Snowflake is a software package for assisting others in circumventing internet censorship by relaying data requests. Snowflake proxy nodes are meant to be created by people in countries where Tor and Snowflake are not blocked. People under censorship then use a Snowflake client, packaged with the Tor Browser or Onion Browser, to access the Tor network, using Snowflake relays as proxy servers. Access to the Tor network can in turn give access to other blocked services. A Snowflake proxy can be created by either installing a browser extension, installing a stand-alone program, or browsing a webpage with an embedded Snowflake proxy. The proxy runs whenever the browser or program is connected to the internet.

References

  1. "发一个自用了一年多的翻墙工具 shadowsocks". Archived from the original on 22 April 2012. Retrieved 15 December 2016.
  2. "Shadowsocks 的前世后生". GFW BLOG. Retrieved 15 December 2016.
  3. "Release 1.11.2".
  4. "Release 4.4.1.0".
  5. "Release v5.3.3 · shadowsocks/shadowsocks-android · GitHub".
  6. "Release v1.10.2 · shadowsocks/ShadowsocksX-NG · GitHub".
  7. clowwindy (20 April 2012). "initial commit" . Retrieved 10 June 2016 via GitHub.
  8. "Ports and Clients" . Retrieved 10 June 2016 via GitHub.
  9. "Shadowsocks – Protocol". shadowsocks.org. Archived from the original on 4 December 2015. Retrieved 11 January 2018.
  10. clowwindy (22 August 2015). "Adopting iOS 9 network extension points". Archived from the original on 22 August 2015. Retrieved 10 June 2016 via GitHub. Two days ago the police came to me and wanted me to stop working on this. Today they asked me to delete all the code from GitHub. I have no choice but to obey. I hope one day I'll live in a country where I have freedom to write any code I like without fearing.
  11. clowwindy (22 August 2015). "shadowsocks/shadowsocks@938bba3" . Retrieved 10 June 2016 via GitHub.
  12. 1 2 Rudolph, Josh (25 August 2015). "Circumvention Tool Deleted After Police Visit Developer". China Digital Times . Retrieved 10 June 2016.
  13. 1 2 Percy (26 August 2016). "中国开发者被警察要求删除软件" [Chinese coder ordered to delete software by police] (in Chinese). GreatFire . Retrieved 10 June 2016.
  14. Kan, Michael (30 August 2015). "China intensifies Internet censorship ahead of military parade". PC World . International Data Group . Retrieved 10 June 2016.
  15. Cimpanu, Catalin (29 August 2015). "Recent GitHub DDOS Linked to Chinese Government and Two GitHub Projects". Softpedia . Retrieved 10 June 2016.
  16. O'Brien, Danny (28 August 2015). "Speech that Enables Speech: China Takes Aim at Its Coders". Electronic Frontier Foundation . Retrieved 10 June 2016.
  17. "Shadowsocks". GitHub.
  18. 1 2 "Shadowsocks Servers". Shadowsocks. Archived from the original on 15 July 2019. Retrieved 11 January 2018.
  19. zhou0 (18 December 2017), shadowsocks-perl: An asynchronous, non-blocking shadowsocks client and server written in Perl , retrieved 11 January 2018{{citation}}: CS1 maint: numeric names: authors list (link)
  20. shadowsocks-go: go port of shadowsocks, shadowsocks, 10 January 2018, retrieved 11 January 2018
  21. shadowsocks-rust: A Rust port of shadowsocks , retrieved 12 October 2019
  22. "Shadowsocks - Clients". shadowsocks.org. Archived from the original on 29 June 2019. Retrieved 11 January 2018.
  23. "Net::Shadowsocks - the asynchronous, non-blocking shadowsocks client and server". Archived from the original on 7 April 2017. Retrieved 6 April 2017 via CPAN.
  24. clowwindy (18 August 2015). "AppData & temp & 当前目录" (in Chinese). Retrieved 10 June 2016 via GitHub.
  25. "Long-term Shadowsocks Plan: ShadowsocksR versus Shadowsocks2 · Issue #501 · StreisandEffect/Streisand". GitHub .
  26. "The Random Forest based Detection of Shadowsock's Traffic" (PDF). Archived from the original (PDF) on 26 December 2019.
  27. "How China Detects and Blocks Shadowsocks · Issue #22 · net4people/BBS". GitHub .
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.