from Hacker News

Proton announces release of a new VPN protocol, "Stealth"

by theschmed on 8/6/24, 5:30 PM with 132 comments

  • by kelsey98765431 on 8/6/24, 6:13 PM

    Don't trust companies that save and hand over data. Don't trust proprietary security solutions. If this is literally just TLS based vpn wrapping, it's no different from using an onion bridge to get to your VPN endpoint. Proton gives data to federal agencies. Proton keeps user data. Proton removed their warrant canary. Use something better.

    EDIT: If you want a truly safe VPN, you will need to do some work on both adversary modeling and technical implementation. If you are just worried about your ISP (filesharing of legally protected digital backups), use whatever. If you are worried that your data may be collected by your VPN provider, use a series of tor/vpn multihop. If you are a paranoid mf, use a privacy coin to purchase a VPS and then connect to it via tor on a public wifi network, set up a .onion hidden service for your ssh/chisel/etc port, connect over tor to forward your tunnel port to localhost, use that tunnel to connect to a multihop VPN system. Suggestions include mullvad, PIA, cryptostorm, whatever you want really. Throw a VPS with generic openvpn in the middle of your multi-provider hops, again paid in a privacy coin. Pay a homeless man to colocate a physical server that has DRAC and luks along with something like AMD TSME, then run containerized multihop there aswell.

    Basically if you want something done right, at least do some of it yourself.

  • by WhatsName on 8/6/24, 6:03 PM

    > Without going into too much detail, Stealth also establishes VPN connections in a specific and unique way that avoids alerting internet filters.

    I began mistrusting Proton some time ago with their hit piece on RAM-only VPN server confirming my bias.

    Let's assume any adversary interested in reversing that new protocol, what's the point of not being transparent on how this new and fancy obfuscation works.

    The TOR project has a lot of innovation in censorship circumvention[1] while still being transparent to their userbase.

    [1] https://snowflake.torproject.org/

  • by tuetuopay on 8/6/24, 5:56 PM

    It will be interesting how robust this new protocol is against traffic pattern analysis. A regular HTTPS connection has different patterns over time than a VPN, mainly because it carries only HTTPS and not all of the machine’s traffic; and only for a specific "website" (simplification here) instead of bundling the whole web to a "single server". The latter may be easier to evade, but the former will be hard.

    Anyways kudos to them, and I can’t wait to see how it fares against China’s GFW.

  • by pzmarzly on 8/6/24, 5:59 PM

    Is there a good comparison of "undetectable" VPN protocols? Wireguard[0], Shadowsocks[1], VLess[2], VMess[3], Trojan[4], etc. All of them seemed to work for me during my recent trip to China.

    [0] The article says Wireguard is easy to block, but in my experience GFW lets it through.

    [1] https://shadowsocks.org

    [2] https://xtls.github.io/en/development/protocols/vless.html

    [3] https://xtls.github.io/en/development/protocols/vmess.html

    [4] https://trojan-gfw.github.io/trojan/protocol

  • by olalonde on 8/6/24, 6:15 PM

    It seems their Android app is open source... Maybe the protocol could be reverse engineered?

    https://github.com/ProtonVPN/android-app

    PS: Tried their free plan in China and it won't connect ("Connection Timeout"). In fact, I had to use another VPN to get past their app's loading screen (guessing it got stuck while doing a request to their server)...

  • by SahAssar on 8/6/24, 6:06 PM

    Is this just a brand name for tunneling traffic over TLS on port 443 (which has been a thing for decades) or am I missing something here?

  • by tptacek on 8/6/24, 6:17 PM

    "Stealth" isn't a property of core VPN tunneling protocols --- establishing a secure channel is. Stealth is something you'd build on a transport underneath a VPN protocol. Completely replacing WireGuard or IPSEC just to beat DPI seems pretty silly.

  • by apitman on 8/6/24, 6:26 PM

    This is too light on details to determine if there's anything interesting here. Similar to others, these are my main concerns:

    * Is this an open protocol?

    * I would like to see a detailed comparison to similar solutions

    * Looks like it's TCP so head-of-line blocking may cause performance issues.

    * What prevents entities from detecting that all your traffic is going to a single endpoint, or just blocking known VPN servers directly?

  • by daft_pink on 8/6/24, 6:25 PM

    Will it work in China? You guys go back and forth about whether you trust VPN companies, but for me I’m just looking for something that works with 100% reliability in China.

  • by nasaeclipse on 8/6/24, 5:53 PM

    Does it work in China?

    I would think it would've been best to keep this update "silent", so to speak, to avoid letting said parties know of this new protocol.

  • by causal on 8/6/24, 5:59 PM

    Awesome.

    Question though: don't most VPN filters simply block a list of all known VPN endpoints? Maybe I missed something but I don't see how Proton's Stealth evades this simple filter?

  • by _rs on 8/6/24, 5:56 PM

    Is there documentation for the protocol anywhere, or is this going to be a proprietary protocol to Proton that doesn’t gain much adoption outside of their users? If their claims are true this could be a great alternative for certain use cases

  • by sinkasapa on 8/6/24, 10:42 PM

    I use protonvpn because I pay for protonmail. It is frustrating because I feel like I need to pay another VPN provider to get decent service. The client is ridiculously unstable and doesn't have the features found on other platforms. If you're not already using their mail services, use linux, and don't like being snubbed despite being a paying customer, look for another provider. Note that the stealth mode is not available for linux, just another way to tell their linux customers that they don't matter.

  • by dtx1 on 8/6/24, 5:59 PM

    Providers like petfect privacy have offered stuff like this for over a decade and they, like others, don't advertise their blatant misunderstandings[0] of the threat models people in censored countries face. I don't see why this is being shilled here so much, it's as close to an obvious honeypot as you'll ever see.

    https://news.ycombinator.com/item?id=41079157

  • by thayne on 8/6/24, 6:40 PM

    > Stealth does this by using obfuscated TLS tunneling over TCP. This is different from most popular VPN protocols that typically use UDP

    The reason most VPN protocols use UDP is for performance. With TCP, a single blocked packet can delay multiple streams. And fwiw, openvpn supports using TLS over TCP, but it is less performant than udp.

    I would be more interested in a protocol that uses quic and looks like http/3

  • by xezzed on 8/6/24, 8:08 PM

    Friend of mine just tried this in Russia. DOESN'T WORK

  • by saurik on 8/6/24, 9:36 PM

    This was "published" now, but this same URL was discussed two years ago here about the same thing?

    https://news.ycombinator.com/item?id=33170028

  • by xeromal on 8/6/24, 5:49 PM

    I'm interested to try this out for a game I'm banned from. My little brother did a thing little brothers tend to do (lol) and I got caught in the crossfire. This is my baseline test for all VPN services.

  • by gr4vityWall on 8/6/24, 6:27 PM

    This sounds more like a press release for a company than a technical overview of the protocol. Is there a reference implementation available?

  • by commandersaki on 8/7/24, 9:51 AM

    How does it address TCP over TCP reliability layer collision?

    Reference: https://web.archive.org/web/20230310043036/http:/sites.inka....

  • by brewdad on 8/6/24, 6:31 PM

    I mainly use Proton to get around geo-blocks. FWIW, I tried this new protocol out on BBC iPlayer and it failed horribly. I tried the Wireguard UDP I normally use and streamed without any problem. It's a single data point but if the goal is to avoid sites knowing you are on a VPN, it isn't fit for purpose.

  • by hypeatei on 8/6/24, 5:59 PM

    > in the constantly evolving battle for online freedom, our work is not finished.

    I'm assuming this boils down to a cat and mouse game, then? E.g. popular firewalls patch this and Proton releases an update to bypass filters?

    Also, couldn't access this site directly because of corporate firewall, how ironic.

  • by okneil on 8/6/24, 5:59 PM

    I wonder what differentiates this from something like Stunnel?

  • by KomoD on 8/6/24, 6:18 PM

    Do we really need yet another VPN protocol?