Proton announces release of a new VPN protocol, "Stealth" (opens in new tab)

https://www.bbc.com/news/world-europe-51467536.amp

wil4211y ago

How do we know this isn’t another CIA/Swiss front? Just like Crypto AG.

Some of us also remember Hushmail.

https://www.wired.com/2007/11/encrypted-e-mai/

4 more replies

ranger_danger1y ago

There is an unanswered bug report from March that suggests Stealth is not working in Russia:

https://github.com/ProtonVPN/android-app/issues/130

devwastaken1y ago

Protonvpn logged ips at the request of the Swiss government on behalf of the French government as a political favor.

https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-...

Protonvpn does log data and does hand it over. It doesn't matter if they "had to" (they can fight) You can't put the genie back in the bottle.

ljm1y ago

If you're getting into that kind of paranoia, you might as well just buy burner laptops that use burner 5G SIMs, and go fully stateless.

Considering you, as a person, are stateful, the strategy will inevitably fail and you'll be caught.

This is how people seeking privacy after doing bad things got found out. People were tracing patterns of behaviour long before there was an internet that produced access logs.

some people are paid to be the overly paranoid person in the room professionally, for budget and leadership to dial their models against. notice i put the security and adversary modeling at the top.

OutOfHere1y ago

Proton has multiple services, and the data retention of one service may have little to do with another. In particular, any data retention for their VPN service is going to be very different from say email for obvious reasons. Even for email, afaik, it was the recovery email address that gave access to the data in the account.

What's a better VPN service anyway? Mullvad? I see Proton's stealth feature as being valuable.

Disclaimer: I have no conflict of interest whatsoever with Proton other than being a free user.

lovethevoid1y ago

PrivacyGuides (not affiliated with them, just find it a useful resource), highlights Proton, Mullvad, and iVPN as reputable depending on your use. They state Proton does not support ipv6 yet, Mullvad removed remote port forwarding, and iVPN the same.

The recommendation the person you're responding to (PIA and Cryptostorm), is very untrustworthy and doesn't even match the minimum criteria from PrivacyGuides.

llmblockchain1y ago

It depends on your threat model. If your threat includes three letter agencies and nation states then you're right-- don't use Proton. However, 99.9% of people don't have that threat model. In that case, Proton is better than most other providers out there (for email, vpn, etc).

jtriangle1y ago

I would hazard to say if that's your threat model, you're better off not using the internet in general. VPN provider won't really matter ultimately, there's a hundred things on either side of that tunnel that you have to take care of.

walterbell1y ago

> Pay a homeless man to colocate a physical server

So many questions about that server provisioning workflow :)

DRAC and luks, the homeless man enters a consultancy agreement to subcontract as a legal entity and is fairly compensated to use their services of being the authorized agent of your provisioning wing of your entity. as authorized agent, they simply agree with the datacenter that when an authorized physical server arrives it is added to a rack. when your entity structure needs to decommission a machine you use DRAC to destroy data at rest with a 70 hour dban series power it down and have the data center mail it to whoever buys it on ebay.

whartung1y ago

Is the hardware run on solar charged batteries, or does it recharge through plugging into coffee shop outlets. Is the network leeched from Starbucks, through a cell modem?

https://arstechnica.com/information-technology/2021/09/priva...

mnsc1y ago

Pretty straightforward with biceps.

blackeyeblitzar1y ago

I don’t understand your allegations against Proton VPN. They give data to federal agencies and they keep user data? When did they do that? Can you share any evidence of this?

3np1y ago

I think they're referring to ProtonMail, not ProtonVPN. Same company, same difference. What makes you believe that they would play one service so significantly differently than the other?

yegle1y ago

A flaw in your argument: a VPN protocol that emulates the traffic pattern of an HTTPS connection is not the same as a TLS VPN.

o9991y ago

PIA is associated with Kape technologies, a company founded by an Ex-Mossad agent that acquired many VPN companies.

codedokode1y ago

Instead of choosing a company to trust, I would prefer that everybody implemented ECH (Encrypted Client Hello) and there would be almost no data to collect. Why Cloudflare seems to be the only one who implements it?

ranger_danger1y ago

China blocks TLS 1.3 entirely.

dartharva1y ago

At that level of paranoia you're probably better off just airgapping your network away from the internet and only transfer data using physical drives.

we were speaking about modeling for vpn systems, wait for a thread about air gapped networks to be fascinating enough and for me to stumble across it for me to give a wildly inappropriate but technically correct though complex and subjective answer.

however there is a significant issue with using hard drives to transfer data in airgapped networks without proper f-caging, optical transfer of data via taking a video of rapidly flashing QR codes is fairly secure when under enough blankets, but mylar shielding of walls and windows may be required depending on the adversary model.

coldblues1y ago

Proton does not care anymore. Maybe they never did? Their new wallet wholeheartedly cements any skepticism I've had previously about them.

realfeel781y ago

Elaborate on this?

TheAmazingRace1y ago

Agreed. To that end, I wonder what the current prevailing recommendation is for a top tier VPN? Or should we roll our own using a VPS and Wireguard?

nouryqt1y ago

I trust Mullvad, or more like I haven't found a reason to not trust them yet. I buy the activation cards on Amazon for convenience and as far as I can tell the individual scratch off activation code you activate on their site with your account number cannot be traced back to you.

A small note to do your own research on:

Wireguard sets up an IPV4 based internal network and the machine responsible for the routing MUST know the client IP that was assigned to the connecting machine. There are some kernel modules to OBFUSCATE but not eliminate this data. Wireguard therefore has a fundamental design flaw that makes it faster but potentially less anonymous than OpenVPN protocol.

DYOR and YMMV. I always disable WG for at least my first hop.

3 more replies

obelus1y ago

What are your sources here? Aside from Proton VPN being no-logs already being proved in court, Proton has third-party audits to back up their no logs claims: https://protonvpn.com/blog/no-logs-audit

alfalfasprout1y ago

They haven't cited any and likely can't. As an end user at the end of the day I care about real-world track record. Proton has not been able to comply to real-world requests over several years.

While theoretically there may be more secure approaches you may also be introducing new dangers as well. Eg; paying for a VPS with an anonymous coin doesn't mean your VPS provider can't deanonymize you or comply with a warrant. You need to make sure every single link in the chain is foolproof. That's way more error prone.

IMO a proven legal track record is in a way more valuable than unproven theoretical flaws (if you can even call them that).

WhatsName1y ago

> Without going into too much detail, Stealth also establishes VPN connections in a specific and unique way that avoids alerting internet filters.

I began mistrusting Proton some time ago with their hit piece on RAM-only VPN server confirming my bias.

Let's assume any adversary interested in reversing that new protocol, what's the point of not being transparent on how this new and fancy obfuscation works.

The TOR project has a lot of innovation in censorship circumvention[1] while still being transparent to their userbase.

[1] https://snowflake.torproject.org/

rasengan1y ago

> With Stealth enabled, your Proton VPN connection will be almost completely undetectable.

In their defense, they're basically saying this doesn't do anything since it's still detectable.

tuetuopay1y ago

It will be interesting how robust this new protocol is against traffic pattern analysis. A regular HTTPS connection has different patterns over time than a VPN, mainly because it carries only HTTPS and not all of the machine’s traffic; and only for a specific "website" (simplification here) instead of bundling the whole web to a "single server". The latter may be easier to evade, but the former will be hard.

Anyways kudos to them, and I can’t wait to see how it fares against China’s GFW.

elisbce1y ago

Unfortunately it's not gonna work. The GFW periodically disturbs/resets any persistent or large-enough traffic to IPs outside of China and bans them. That's why even if you have the best obfuscation protocol (like setting up your own server outside with truly indistinguishable traffic like a normal HTTPS), you still cannot have stable connections with large traffic. The current reliable ways of evading GFW are using IPs inside China via non-GFW controlled IEPL connections. These are loopholes deliberately left by GFW in order for certain legit use cases to bypass them (like research / big international corps etc.)

iforgotpassword1y ago

Might depend on provider? I have a single endpoint and no such issues. Transferring multiple GBs on some days. I'm using a custom protocol though that's basically udp but with the tcp protocol number in the ip next protocol field. I'm simply ignoring any injected rst packets etc.

codedokode1y ago

Can VPN providers rotate used IPs faster than they are blocked or it is too expensive?

How much is "large", ballpark?

[2] https://xtls.github.io/en/development/protocols/vless.html

pzmarzly1y ago

Is there a good comparison of "undetectable" VPN protocols? Wireguard[0], Shadowsocks[1], VLess[2], VMess[3], Trojan[4], etc. All of them seemed to work for me during my recent trip to China.

[0] The article says Wireguard is easy to block, but in my experience GFW lets it through.

[1] https://shadowsocks.org

[3] https://xtls.github.io/en/development/protocols/vmess.html

[4] https://trojan-gfw.github.io/trojan/protocol

kelnos1y ago

> All of them seemed to work for me during my recent trip to China.

Depending on how you were connecting, your traffic may have been explicitly allowed. If you were connecting via your cell phone, using roaming with your home SIM card, you're not subject to the Great Firewall (all your data was essentially VPNed through your wireless carrier's PoP already). And IIRC many larger hotel chains that cater to foreigners (and would likely refuse to allow a citizen to stay there) also aren't GFW'd

roughly1y ago

Yeah, AIUI the Chinese government cares that Chinese citizens can't bypass the GFW, but either explicitly or implicitly does not care if foreigners do.

blacklion1y ago

Wireguard and Shadowsocks are trivially detectable, as Chinese and Russian providers show in practice.

TLS-in-TLS (trojan) seems to be detectable too.

If we look at Chinese and Russian government DPI, we will see that now VLESS with XTLS‑Vision and XTLS‑Reality are not detectable. YET.

https://github.com/ProtonVPN/android-app

yup, vless works, mullvad/nordvpn/pia/surfshark don't.

olalonde1y ago

> [0] The article says Wireguard is easy to block, but in my experience GFW lets it through.

For some time. After a while, the connection eventually gets blocked or throttled. The annoying thing about understanding the GFW is that it's not quite deterministic.

olalonde1y ago

It seems their Android app is open source... Maybe the protocol could be reverse engineered?

PS: Tried their free plan in China and it won't connect ("Connection Timeout"). In fact, I had to use another VPN to get past their app's loading screen (guessing it got stuck while doing a request to their server)...

EMIRELADERO1y ago

From a cursory glance, it seems to be Wireguard + TLS

https://github.com/ProtonVPN/android-app/blob/fc9e7f500fe56b...

SahAssar1y ago

Is this just a brand name for tunneling traffic over TLS on port 443 (which has been a thing for decades) or am I missing something here?

codedokode1y ago

Masquerading as legitimate traffic is important for many VPN users, I guess. Many don't want ISP to know they are using a VPN, and others don't want to get their VPN blocked.

SahAssar1y ago

Absolutely, but this is announcing this as a "new" protocol. I'd like to know what is new or if I'm missing something.

tptacek1y ago

"Stealth" isn't a property of core VPN tunneling protocols --- establishing a secure channel is. Stealth is something you'd build on a transport underneath a VPN protocol. Completely replacing WireGuard or IPSEC just to beat DPI seems pretty silly.

saurik1y ago

FWIW, when this same URL was being discussed two years ago, someone looked into it and decided that it was, in fact, "Wireguard over TLS".

https://news.ycombinator.com/item?id=33171089

tptacek1y ago

Yeah, I see someone else on the thread has evidence of the same. If they're just tunneling WireGuard over something, I don't care, knock yourself out, it's fine.

apitman1y ago

This is too light on details to determine if there's anything interesting here. Similar to others, these are my main concerns:

* Is this an open protocol?

* I would like to see a detailed comparison to similar solutions

* Looks like it's TCP so head-of-line blocking may cause performance issues.

* What prevents entities from detecting that all your traffic is going to a single endpoint, or just blocking known VPN servers directly?

daft_pink1y ago

Will it work in China? You guys go back and forth about whether you trust VPN companies, but for me I’m just looking for something that works with 100% reliability in China.

nasaeclipse1y ago

Does it work in China?

I would think it would've been best to keep this update "silent", so to speak, to avoid letting said parties know of this new protocol.

rty321y ago

You are way underestimating GFW and people who work on it.

jinnko1y ago

Tailscale has been working in China for me the last couple of weeks.

Also check out Amnezia VPN and the cloak implementation.

causal1y ago

Awesome.

Question though: don't most VPN filters simply block a list of all known VPN endpoints? Maybe I missed something but I don't see how Proton's Stealth evades this simple filter?

jiveturkey1y ago

I would assume https (websocket) with domain fronting

codedokode1y ago

By not telling what their endpoints are?

_rs1y ago

Is there documentation for the protocol anywhere, or is this going to be a proprietary protocol to Proton that doesn’t gain much adoption outside of their users? If their claims are true this could be a great alternative for certain use cases

sinkasapa1y ago

I use protonvpn because I pay for protonmail. It is frustrating because I feel like I need to pay another VPN provider to get decent service. The client is ridiculously unstable and doesn't have the features found on other platforms. If you're not already using their mail services, use linux, and don't like being snubbed despite being a paying customer, look for another provider. Note that the stealth mode is not available for linux, just another way to tell their linux customers that they don't matter.

dtx11y ago

Providers like petfect privacy have offered stuff like this for over a decade and they, like others, don't advertise their blatant misunderstandings[0] of the threat models people in censored countries face. I don't see why this is being shilled here so much, it's as close to an obvious honeypot as you'll ever see.

https://news.ycombinator.com/item?id=41079157

thayne1y ago

> Stealth does this by using obfuscated TLS tunneling over TCP. This is different from most popular VPN protocols that typically use UDP

The reason most VPN protocols use UDP is for performance. With TCP, a single blocked packet can delay multiple streams. And fwiw, openvpn supports using TLS over TCP, but it is less performant than udp.

I would be more interested in a protocol that uses quic and looks like http/3

tptacek1y ago

UDP is a complete red herring and you should carefully reread any analysis that says a VPN protocol is superior to WireGuard because it uses TCP and not UDP. It's trivial to run WireGuard over TCP (it's our default for all our users, because something like 1 in 20 users has problems getting UDP out to the public Internet).

xezzed1y ago

Friend of mine just tried this in Russia. DOESN'T WORK

throwaway743541y ago

Do they happen to use the Russian App Store? If so, the app hadn't been updated to utilize the new protocol because Apple had delisted[1] ProtonVPN in mid July.

[1] https://apps.apple.com/ru/app/proton-vpn-fast-secure/id14370...

majorchord1y ago

The issue reported here (unanswered since March) says they are using Stealth in Russia and it is still not working: https://github.com/ProtonVPN/android-app/issues/130

xezzed1y ago

He is permanent resident of Spain but he is in Russia currently. So he has Spanish AppStore

ranger_danger1y ago

This your friend? https://github.com/ProtonVPN/android-app/issues/130

kgeist1y ago

ProtonVPN's IP ranges blocked?

xezzed1y ago

I dunno. But they advertise their "Stealth" protocol as a solution for everything. And there are still problems.

saurik1y ago

This was "published" now, but this same URL was discussed two years ago here about the same thing?

https://news.ycombinator.com/item?id=33170028

ark45791y ago

coincidentally, while searching for "proton vpn stealth" i came across this exact article 2 days ago and was surprised seeing it here with latest publish date. But, in previous article "windows" was not included in the list of platforms stealth was available on. I guess with today's proton VPN update, it became available on windows too and so they updated the article.

xeromal1y ago

I'm interested to try this out for a game I'm banned from. My little brother did a thing little brothers tend to do (lol) and I got caught in the crossfire. This is my baseline test for all VPN services.

Macha1y ago

Seems to be more focused on preventing VPN detection by middleboxes than by endpoints.

xeromal1y ago

I'm a big dummy but do you care to elaborate on that?

sparkling1y ago

When they talk about detection, they are most likely referring to protocol level detection by ISPs forced to block VPN traffic, hostile local networks, corporate firewalls and such.

The actual service you are connecting to (example: website, game server etc.) most likely uses a IP-based detection service such as https://focsec.com/ or similar. In such cases, the protocol will not make a difference.

xeromal1y ago

Thanks for the info. That's a bummer!

KomoD1y ago

A VPN protocol won't really make a difference for that, usually online services detect VPNs based on IP addresses.

phone86753091y ago

This you? https://steamcommunity.com/discussions/forum/9/3640401666859...

xeromal1y ago

haha. I wish. I play 4s with my little bro and a couple of my friends and my little bro thought it would be funny to hot mic a hitler speech. We all got banned. lol

gr4vityWall1y ago

This sounds more like a press release for a company than a technical overview of the protocol. Is there a reference implementation available?

commandersaki1y ago

How does it address TCP over TCP reliability layer collision?

Reference: https://web.archive.org/web/20230310043036/http:/sites.inka....

brewdad1y ago

I mainly use Proton to get around geo-blocks. FWIW, I tried this new protocol out on BBC iPlayer and it failed horribly. I tried the Wireguard UDP I normally use and streamed without any problem. It's a single data point but if the goal is to avoid sites knowing you are on a VPN, it isn't fit for purpose.

majorchord1y ago

I don't think this is enough information to quantifiably say that your issue was caused specifically by the Stealth protocol itself and nothing else.

hypeatei1y ago

> in the constantly evolving battle for online freedom, our work is not finished.

I'm assuming this boils down to a cat and mouse game, then? E.g. popular firewalls patch this and Proton releases an update to bypass filters?

Also, couldn't access this site directly because of corporate firewall, how ironic.

okneil1y ago

I wonder what differentiates this from something like Stunnel?

dtx11y ago

It's Proton branded.

KomoD1y ago

Do we really need yet another VPN protocol?

jiveturkey1y ago

we do, actually. you're missing the point. this is to evade VPN blocking.

KomoD1y ago

I'm not, protocols like these already exist and since this is ProtonVPN's own protocol all you need to do is block the IP addresses and it would be useless anyway.

It doesn't work against GFW nor in Russia. I've seen some people saying they're having issues in Iran as well.

If you had a protocol like this combined with something like MysteriumVPN (which has "decentralized" VPN nodes) then yeah, it'd probably help.

j / k navigate · click thread line to collapse

132 comments

Basically if you want something done right, at least do some of it yourself.

protonvpn1y ago

This is false. Proton VPN's no logs policy has been proven in court and backed by third party audits: https://protonvpn.com/blog/no-logs-audit

VPN is not classified as a communication tool in Switzerland and there are no existing Swiss laws that can compel us to log.

The Proton VPN Transparency Report & Warrant Canary is also still available at: https://protonvpn.com/blog/transparency-report

alfalfasprout1y ago

Proven in court is ultimately what I think most users really care about.

Thanks for sharing this.

https://www.bbc.com/news/world-europe-51467536.amp

wil4211y ago

How do we know this isn’t another CIA/Swiss front? Just like Crypto AG.

Some of us also remember Hushmail.

https://www.wired.com/2007/11/encrypted-e-mai/

4 more replies

ranger_danger1y ago

There is an unanswered bug report from March that suggests Stealth is not working in Russia:

https://github.com/ProtonVPN/android-app/issues/130

devwastaken1y ago

Protonvpn logged ips at the request of the Swiss government on behalf of the French government as a political favor.

https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-...

Protonvpn does log data and does hand it over. It doesn't matter if they "had to" (they can fight) You can't put the genie back in the bottle.

ljm1y ago

If you're getting into that kind of paranoia, you might as well just buy burner laptops that use burner 5G SIMs, and go fully stateless.

Considering you, as a person, are stateful, the strategy will inevitably fail and you'll be caught.

This is how people seeking privacy after doing bad things got found out. People were tracing patterns of behaviour long before there was an internet that produced access logs.

some people are paid to be the overly paranoid person in the room professionally, for budget and leadership to dial their models against. notice i put the security and adversary modeling at the top.

OutOfHere1y ago

What's a better VPN service anyway? Mullvad? I see Proton's stealth feature as being valuable.

Disclaimer: I have no conflict of interest whatsoever with Proton other than being a free user.

lovethevoid1y ago

The recommendation the person you're responding to (PIA and Cryptostorm), is very untrustworthy and doesn't even match the minimum criteria from PrivacyGuides.

llmblockchain1y ago

jtriangle1y ago

walterbell1y ago

> Pay a homeless man to colocate a physical server

So many questions about that server provisioning workflow :)

whartung1y ago

Is the hardware run on solar charged batteries, or does it recharge through plugging into coffee shop outlets. Is the network leeched from Starbucks, through a cell modem?

https://arstechnica.com/information-technology/2021/09/priva...

mnsc1y ago

Pretty straightforward with biceps.

blackeyeblitzar1y ago

I don’t understand your allegations against Proton VPN. They give data to federal agencies and they keep user data? When did they do that? Can you share any evidence of this?

3np1y ago

I think they're referring to ProtonMail, not ProtonVPN. Same company, same difference. What makes you believe that they would play one service so significantly differently than the other?

yegle1y ago

A flaw in your argument: a VPN protocol that emulates the traffic pattern of an HTTPS connection is not the same as a TLS VPN.

o9991y ago

PIA is associated with Kape technologies, a company founded by an Ex-Mossad agent that acquired many VPN companies.

codedokode1y ago

ranger_danger1y ago

China blocks TLS 1.3 entirely.

dartharva1y ago

At that level of paranoia you're probably better off just airgapping your network away from the internet and only transfer data using physical drives.

coldblues1y ago

Proton does not care anymore. Maybe they never did? Their new wallet wholeheartedly cements any skepticism I've had previously about them.

realfeel781y ago

Elaborate on this?

TheAmazingRace1y ago

Agreed. To that end, I wonder what the current prevailing recommendation is for a top tier VPN? Or should we roll our own using a VPS and Wireguard?

nouryqt1y ago

A small note to do your own research on:

DYOR and YMMV. I always disable WG for at least my first hop.

3 more replies

obelus1y ago

What are your sources here? Aside from Proton VPN being no-logs already being proved in court, Proton has third-party audits to back up their no logs claims: https://protonvpn.com/blog/no-logs-audit

alfalfasprout1y ago

They haven't cited any and likely can't. As an end user at the end of the day I care about real-world track record. Proton has not been able to comply to real-world requests over several years.

IMO a proven legal track record is in a way more valuable than unproven theoretical flaws (if you can even call them that).

WhatsName1y ago

> Without going into too much detail, Stealth also establishes VPN connections in a specific and unique way that avoids alerting internet filters.

I began mistrusting Proton some time ago with their hit piece on RAM-only VPN server confirming my bias.

Let's assume any adversary interested in reversing that new protocol, what's the point of not being transparent on how this new and fancy obfuscation works.

The TOR project has a lot of innovation in censorship circumvention[1] while still being transparent to their userbase.

[1] https://snowflake.torproject.org/

rasengan1y ago

> With Stealth enabled, your Proton VPN connection will be almost completely undetectable.

In their defense, they're basically saying this doesn't do anything since it's still detectable.

tuetuopay1y ago

Anyways kudos to them, and I can’t wait to see how it fares against China’s GFW.

elisbce1y ago

iforgotpassword1y ago

codedokode1y ago

Can VPN providers rotate used IPs faster than they are blocked or it is too expensive?

How much is "large", ballpark?

[2] https://xtls.github.io/en/development/protocols/vless.html

pzmarzly1y ago

Is there a good comparison of "undetectable" VPN protocols? Wireguard[0], Shadowsocks[1], VLess[2], VMess[3], Trojan[4], etc. All of them seemed to work for me during my recent trip to China.

[0] The article says Wireguard is easy to block, but in my experience GFW lets it through.

[1] https://shadowsocks.org

[3] https://xtls.github.io/en/development/protocols/vmess.html

[4] https://trojan-gfw.github.io/trojan/protocol

kelnos1y ago

> All of them seemed to work for me during my recent trip to China.

roughly1y ago

Yeah, AIUI the Chinese government cares that Chinese citizens can't bypass the GFW, but either explicitly or implicitly does not care if foreigners do.

blacklion1y ago

Wireguard and Shadowsocks are trivially detectable, as Chinese and Russian providers show in practice.

TLS-in-TLS (trojan) seems to be detectable too.

If we look at Chinese and Russian government DPI, we will see that now VLESS with XTLS‑Vision and XTLS‑Reality are not detectable. YET.

https://github.com/ProtonVPN/android-app

yup, vless works, mullvad/nordvpn/pia/surfshark don't.

olalonde1y ago

> [0] The article says Wireguard is easy to block, but in my experience GFW lets it through.

For some time. After a while, the connection eventually gets blocked or throttled. The annoying thing about understanding the GFW is that it's not quite deterministic.

olalonde1y ago

It seems their Android app is open source... Maybe the protocol could be reverse engineered?

EMIRELADERO1y ago

From a cursory glance, it seems to be Wireguard + TLS

https://github.com/ProtonVPN/android-app/blob/fc9e7f500fe56b...

SahAssar1y ago

Is this just a brand name for tunneling traffic over TLS on port 443 (which has been a thing for decades) or am I missing something here?

codedokode1y ago

Masquerading as legitimate traffic is important for many VPN users, I guess. Many don't want ISP to know they are using a VPN, and others don't want to get their VPN blocked.

SahAssar1y ago

Absolutely, but this is announcing this as a "new" protocol. I'd like to know what is new or if I'm missing something.

tptacek1y ago

saurik1y ago

FWIW, when this same URL was being discussed two years ago, someone looked into it and decided that it was, in fact, "Wireguard over TLS".

https://news.ycombinator.com/item?id=33171089

tptacek1y ago

Yeah, I see someone else on the thread has evidence of the same. If they're just tunneling WireGuard over something, I don't care, knock yourself out, it's fine.

apitman1y ago

This is too light on details to determine if there's anything interesting here. Similar to others, these are my main concerns:

* Is this an open protocol?

* I would like to see a detailed comparison to similar solutions

* Looks like it's TCP so head-of-line blocking may cause performance issues.

* What prevents entities from detecting that all your traffic is going to a single endpoint, or just blocking known VPN servers directly?

daft_pink1y ago

Will it work in China? You guys go back and forth about whether you trust VPN companies, but for me I’m just looking for something that works with 100% reliability in China.

nasaeclipse1y ago

Does it work in China?

I would think it would've been best to keep this update "silent", so to speak, to avoid letting said parties know of this new protocol.

rty321y ago

You are way underestimating GFW and people who work on it.

jinnko1y ago

Tailscale has been working in China for me the last couple of weeks.

Also check out Amnezia VPN and the cloak implementation.

causal1y ago

Awesome.

Question though: don't most VPN filters simply block a list of all known VPN endpoints? Maybe I missed something but I don't see how Proton's Stealth evades this simple filter?

jiveturkey1y ago

I would assume https (websocket) with domain fronting

codedokode1y ago

By not telling what their endpoints are?

_rs1y ago

sinkasapa1y ago

dtx11y ago

https://news.ycombinator.com/item?id=41079157

thayne1y ago

> Stealth does this by using obfuscated TLS tunneling over TCP. This is different from most popular VPN protocols that typically use UDP

I would be more interested in a protocol that uses quic and looks like http/3

tptacek1y ago

xezzed1y ago

Friend of mine just tried this in Russia. DOESN'T WORK

throwaway743541y ago

Do they happen to use the Russian App Store? If so, the app hadn't been updated to utilize the new protocol because Apple had delisted[1] ProtonVPN in mid July.

[1] https://apps.apple.com/ru/app/proton-vpn-fast-secure/id14370...

majorchord1y ago

The issue reported here (unanswered since March) says they are using Stealth in Russia and it is still not working: https://github.com/ProtonVPN/android-app/issues/130

xezzed1y ago

He is permanent resident of Spain but he is in Russia currently. So he has Spanish AppStore

ranger_danger1y ago

This your friend? https://github.com/ProtonVPN/android-app/issues/130

kgeist1y ago

ProtonVPN's IP ranges blocked?

xezzed1y ago

I dunno. But they advertise their "Stealth" protocol as a solution for everything. And there are still problems.

saurik1y ago

This was "published" now, but this same URL was discussed two years ago here about the same thing?

https://news.ycombinator.com/item?id=33170028

ark45791y ago

xeromal1y ago

Macha1y ago

Seems to be more focused on preventing VPN detection by middleboxes than by endpoints.

xeromal1y ago

I'm a big dummy but do you care to elaborate on that?

sparkling1y ago

When they talk about detection, they are most likely referring to protocol level detection by ISPs forced to block VPN traffic, hostile local networks, corporate firewalls and such.

xeromal1y ago

Thanks for the info. That's a bummer!

KomoD1y ago

A VPN protocol won't really make a difference for that, usually online services detect VPNs based on IP addresses.

phone86753091y ago

This you? https://steamcommunity.com/discussions/forum/9/3640401666859...

xeromal1y ago

haha. I wish. I play 4s with my little bro and a couple of my friends and my little bro thought it would be funny to hot mic a hitler speech. We all got banned. lol