Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Does browser signatures need update? #129

Closed
HirbodBehnam opened this issue Sep 12, 2020 · 8 comments
Closed

[Question] Does browser signatures need update? #129

HirbodBehnam opened this issue Sep 12, 2020 · 8 comments

Comments

@HirbodBehnam
Copy link
Contributor

Hello
Do the Chrome and Firefox signatures change over time? If so, is it possible for you to update them? Because it looks like Iran's firewall is blocking the Cloak's Chrome signature. A little more info
@cbeuw
Copy link
Owner

cbeuw commented Sep 12, 2020

Yes it does need update. Thanks for the testing and heads-up.

When I first got told that Cloak stopped working in Iran by email, I was worried that it's due to more intricate flaws like packet timing etc.. At the time they were written, the browser signatures were identical to real browsers byte-to-byte (except for the variable fields), but yes they are quite old. I'll update the Chrome one since it's being blocked right now. I may update the firefox one too some time later

cbeuw added a commit that referenced this issue Sep 12, 2020
@cbeuw
Update Chrome signature to 85. Address #129
05482e6
@notsure2
Copy link
Contributor

@cbeuw How about making the changing parts of the signature possible to pass via configuration, so that in case you get busy people can update it themselves ? See how trojan-gfw project did it.

@cbeuw
Copy link
Owner

cbeuw commented Sep 12, 2020

@notsure2 It's possible to specify some fields in a configuration file, like Supported Groups and Cipher Suites etc. I'm not familiar with trojan-gfw but a quick look at its documentation shows it appears to be how they are doing it. The issue is that there may be a lot of intricate or major changes in ClientHellos between browser versions. For instance, between Firefox 68 (Cloak's current firefox version) and Firefox 80, there are a few new extension types, some extensions were deleted and the order was slightly rearranged. It's certainly possible to reflect these in a configuration file without editing the source code but it would require a pretty complicated schema. utls (whose major functionality was to parrot ClientHellos of different browser versions) basically hardcode all of these: https://github.com/refraction-networking/utls/blob/master/u_parrots.go.

@notsure2
Copy link
Contributor

@cbeuw Then in that case, is it possible to pull the client helo from that package by depending on it and then inserting the cloak stuff in it ? Instead of hardcoding it, that way, all we need to do is just update dependencies and rebuild to get the new signatures.

@cbeuw
Copy link
Owner

cbeuw commented Sep 12, 2020

@notsure2 You mean depending on utls? If I had known about utls before I started Cloak, I would've used it for ClientHellos and I wouldn't have to deal with the handshakes my self, but now that part counts as legacy code lol. Integrating just the ClientHello formation part would require a lot of code change, I think a better approach would be to clean up the way I'm currently hard-coding it (which is a mess), to something more modular, like utls, which can be much more easily modified by others

@HirbodBehnam
Copy link
Contributor Author

Hello @cbeuw
Thanks for the update! I downloaded and compiled the latest commit and both Chrome and Firefox signatures are working like a charm!
Thanks

@aboka2k
Copy link

aboka2k commented Sep 13, 2020

Hello @cbeuw
Thanks for the update! I downloaded and compiled the latest commit and both Chrome and Firefox signatures are working like a charm!
Thanks

@HirbodBehnam will this be apply to your script in future?

@HirbodBehnam
Copy link
Contributor Author

HirbodBehnam commented Sep 13, 2020
edited
Loading

@aboka2k
Yes! As soon as there is a new release on this repository, my script will automatically use it to setup the server. However in this case, you should just update your client and updating server is not necessary.

I also installed Chrome 76 on a VM and checked if it can connect to my server (to a real HTTPS server) and it failed to connect to my server. So, I'm 99% percent sure that the Iran does not allow even legit Chrome 76 client hello to some servers.

Update: I ran a test with utls to see which browser signatures are affected. It looks like that only Chrome-72 signature will timeout. Here is the code and here is the result:

Normal: OK
Chrome-58: OK
Chrome-62: OK
Chrome-70: OK
Chrome-72: ERROR: uTlsConn.Handshake() error: read tcp 192.168.1.100:65409->myip:443: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Chrome-83: OK
iOS-111: OK
iOS-12.1: OK
Firefox-55: OK
Firefox-56: OK
Firefox-63: OK
Firefox-65: OK
Golang-0: OK

So it looks like all Chrome fingerprints from version 72 to version 81 are not working.

@alexander-potemkin alexander-potemkin mentioned this issue Jan 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cbeuw @HirbodBehnam @notsure2 @aboka2k