Is shadowsocks trustworthy? How would we know? If so, why can’t it safely be chained on top of tor? Let’s say to defend against targeted attacks from NSA?
So I keep reading about the open source project known as shadowsocks. It has a history of being used to circumvent censorship in China. It is meant to bypass ip blocks from websites. It’s free, open-source, and has a large following. Its supposed to be one of the only two free proxies (the other one is privoxy) that have a solid reputation for either not keeping logs or honestly allowing you to disable them (in the case of privoxy).
I’m having trouble verifying how reputable it is. Mullvad has shadowsocks connections built into it. If we don’t know it’s trustworthy, why does Mullvad use it?
On the other hand, if it is trustworthy, does not log anything that can ID youC and so good at bypassing blocks (including IP blocks like they say), why not connect first to tor via snowflake bridge, then to a shadowsocks proxy? This could easily be done in proxychains. You could just use Mullvad browser except NOT turn on VPN (to avoid the mistake of combining VPN with tor), since Mullvad browser has the same fingerprint as tor.
ShadowSocks is a proxy protocol that’s designed to circumvent deep packet inspection (DPI). Like VPN, it doesn’t offer any privacy or security guarantee against rogue server providers (proxy server administrators), so you have to trust the providers for not doing evil stuff with your traffic. Whether “a shadowsocks server” logs your traffic or ID or whatever has nothing to do with the shadowsocks software itself, it depends of whether the server owner does it or not.
ShadowSocks transports both TCP and UDP traffic so it can be used to carry Tor traffic (which is TCP).
ShadowSocks and privoxy are two totally different softwares. Privoxy is a proxy server that filters web requests based on rules, mostly used to filter ads. It doesn’t help bypass state-imposed Internet censorship (most likely DPI) in anyway.
I think it helps to separate “trust in the software” from “trust in the server”. Shadowsocks itself is open source so people can check the code and see how it works. But the real risk is the server you connect to, because the operator can still see your traffic metadata.
Also chaining Tor ==> Shadowsocks does not really add strong privacy. Tor already hides your IP but adding a proxy after it can reduce anonymity if that proxy becomes a fixed exit point. It may help bypass some blocks but it is not designed to protect against strong attackers.
So Shadowsocks is useful for censorship bypass but it should not be seen as a replacement or upgrade to Tor’s anonymity model.
And how many people can really read and understand that code is the question I always ask myself?
I operate a Snowflake proxy and compiled it from source. Do I understand the code?
I use the Tor browser (obviously). I believe it is open source. Did I read the code?
There are examples where rogues infiltrated coding teams with the purpose of inserting rogue code in increments and after a long time. I don’t remember with ones but it was stuff which was used a lot. I’m going to say the OpenSSL thing but don’t quote me on that.
Edited later
Did a bit of research.
I have purposely made the links unclickable.