Secure Socks5 Proxy

Context

In HTTP / HTTPS world, the source and destination of a TCP/IP packet is in public. A malicious party can interfere the network connection and send the source with a poisoned packet to deter or abort the connection.

Known attack techniques include:

[img[secure-socks5-proxy-attackers.png]]

Under such blockade, whoever wants to take a fresh air in the free Internet might sounds like dreaming. But geeks are apparently reluctant to lose even one single data packet for this cause.

The solution is to leverage SOCKS5 protocol by strong cipher algorithms.

Use

Common Patterns

Below lists some common seen techniques on developing a secure SOCKS5 proxy.

LocalProxy-RemoteProxy Model

! Free Client-Server

Trivial Client-Server model can serve pretty well in the case of no malicious attackers. It can against no malicious attacks.

[img[secure-socks5-proxy-free-connection.gif]]

! Blocking

Malicious attackers can deploy firewall-alike system in between client and server so that no request will reach to server. Therefore, end user cannot get any data from server.

[img[secure-socks5-proxy-firewall.gif]]

! Proxying

A reasonable way is setup a proxy server outside of firewall. All traffic will need to go through proxy server first, and relayed by proxy server. Potential proxy technologies include HTTP proxies, Socks services, VPN services, SSH Tunneling, etc. SOCKS5 becomes de facto proxy protocol.

[img[secure-socks5-proxy-proxy.gif]]

For example, when requests are transmitting through SSH tunnel, firewall cannot recognize the traffic since the data are encrypted. The problem is that when doing the SSH handshake on creating tunnel, it's very likely to be recognized that the proxy server is being used as a proxy. So the firewall can deter the connection on SSH tunnel creation step.

! Secure Proxying

A secure socks proxy should not expose below information to firewall:

To fix previous proxy model, a secure socks proxy will need to make an improvement on SOCKS5. We can split the SOCKS5 into two part, socks5-local, and socks5-remote.

[img[secure-socks5-proxy-ss.gif]]

Below steps is a simple explanation of above diagram.

Socks5 as LocalProxy Protocol

Socks5 has wide support on client side. So we could share the benefit of transmitting data via SOCKS5 from client to Local Proxy Server. Socks5 performs data transmission on Layer 5.

Below curl command demonstrates that a smart client is capable of using SOCKS5 to connect to a SOCKS5 Proxy Server:

$ curl --socks5 127.0.0.1:1080 https://google.com

HTTP as Transmission Protocol

HTTP is probably the most common traffic type across the entire Internet. Choosing HTTP as transmission protocol to break through firewall makes the packet and the server less likely to be recognized for proxy usage.

HTTPS is not suitable for firewall breakthrough. The purpose of HTTPS is listed below:

While the purpose of a proxy software should meet below demands:

Based on above reason, HTTP is a better choice for breaking through firewall than HTTPS or any other protocols.

Cipher Algorithms

The cipher algorithms encrypts and decrypts data so that nobody can read data from encrypted stream except LocalProxy and RemoteProxy. Since AEAD ciphers simultaneously provide confidentiality, integrity, and authenticity, we tend to choose one of the listed AEAS family below as the cipher algorithm using in both Local Proxy and Remote Proxy.

Solutions

Shadowsocks is an excellent secure socks5 proxy solution. Check its official site for more information.

Challenges and Risks

Untrusted Client

Untrusted Server

The server side must be deployed into an environment without firewall blockade.

Insecure Cipher Algorithms

It's up to the end user's choice to choose which cipher algorithms to be used. If end user chooses insecure cipher algorithms, he/she might leak the fact or increase the suspicious degree that the server is being used as a Proxy server. When being detected, the server used as proxy server will be blocked.

IP Whitelist

If end user can only connect to a selected range of IP lists, aka, IP whitelist, then there is no chance for the end user to use the SOCKS5 server, for SOCKS5 server IP will very unlikely to be included in the IP whitelist.

Forward Security

When end users leaks both the cipher key and the traffic history, malicious party could decrypts all traffics in the past.

Law Enforcement

Be aware of leaking no personal information even when using the secured SOCKS5 proxy. End user also might want to uninstall any untrusted certificates and softwares.

It's said that the inventor of Shadowsocks was invited to "have a cup of tea" with law enforcement, for he was chatting with friends via QQ, a widely installed Tencent software. Since that, he quitted developing the software.

Conclusion

By secretly deploying a secure SOCKS5 proxy server and choosing a strong cipher algorithm, people can break through severe network blockade. Shadowsocks could be your first choice.