[PR #283] [MERGED] Pad the first 5 frames to mitigate encapsulated TLS handshakes detection #304

New issue

Closed

opened 2026-02-26 12:34:33 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 12:34:33 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cbeuw/Cloak/pull/283
Author: @cbeuw
Created: 10/1/2024
Status: ✅ Merged
Merged: 10/3/2024
Merged by: @cbeuw

Base: master ← Head: padding

📝 Commits (2)

5cf975f Pad the first 5 frames
8bbc7b0 Fix tests

📊 Changes

3 files changed (+31 additions, -51 deletions)

View changed files

📝 internal/multiplex/obfs.go (+29 -37)
📝 internal/multiplex/obfs_test.go (+1 -13)
📝 internal/multiplex/session.go (+1 -1)

📄 Description

Xue et al. pointed out the problem of encapsulated TLS handshakes in Fingerprinting Obfuscated Proxy Traffic
with Encapsulated TLS Handshakes, whereby censors can look at the size and direction of the first few TCP packets to detect whether a TLS-in-TLS handshake is happening, indicating proxied TLS traffic. We pad the first few frames on a stream opening (up to 239 bytes) to mitigate this.

Yet, we show that simple random padding schemes
drawing padding sizes from limited ranges (e.g., vmess: [0,
63]), while increasing the challenge, doesn’t render detec-
tion infeasible (TPR: 0.859 → 0.687 for vmess-ws-tls after
padding).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cbeuw/Cloak/pull/283 **Author:** [@cbeuw](https://github.com/cbeuw) **Created:** 10/1/2024 **Status:** ✅ Merged **Merged:** 10/3/2024 **Merged by:** [@cbeuw](https://github.com/cbeuw) **Base:** `master` ← **Head:** `padding` --- ### 📝 Commits (2) - [`5cf975f`](https://github.com/cbeuw/Cloak/commit/5cf975f596b525dd3f9d85f036ab9453c35861ca) Pad the first 5 frames - [`8bbc7b0`](https://github.com/cbeuw/Cloak/commit/8bbc7b08d3761db18298a5e0662ee264285ba4ee) Fix tests ### 📊 Changes **3 files changed** (+31 additions, -51 deletions) <details> <summary>View changed files</summary> 📝 `internal/multiplex/obfs.go` (+29 -37) 📝 `internal/multiplex/obfs_test.go` (+1 -13) 📝 `internal/multiplex/session.go` (+1 -1) </details> ### 📄 Description Xue et al. pointed out the problem of encapsulated TLS handshakes in [Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes](https://www.usenix.org/system/files/usenixsecurity24-xue-fingerprinting.pdf), whereby censors can look at the size and direction of the first few TCP packets to detect whether a TLS-in-TLS handshake is happening, indicating proxied TLS traffic. We pad the first few frames on a stream opening (up to 239 bytes) to mitigate this. > Yet, we show that simple random padding schemes drawing padding sizes from limited ranges (e.g., vmess: [0, 63]), while increasing the challenge, doesn’t render detec- tion infeasible (TPR: 0.859 → 0.687 for vmess-ws-tls after padding). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>