On this page
Proxy Protocol Comparison
The evolution of proxy protocols reflects the arms race between censorship and anti-censorship—after Shadowsocks’ AEAD encryption was identified by deep packet inspection, Trojan masqueraded as HTTPS, VLESS+REALITY masqueraded as real websites, and Hysteria2 eliminated TLS fingerprints over QUIC. Each generation makes proxy traffic harder to distinguish from normal traffic.
Overview
The evolution of proxy protocols reflects the arms race between censorship and anti-censorship. Shadowsocks (2012) bypassed censorship using AEAD encryption but was later identified by deep packet inspection. Trojan (2019) masqueraded as standard HTTPS, making it difficult to distinguish. VLESS+REALITY (2023) masquerades as a real, existing website (microsoft.com), rendering active probing ineffective. Hysteria2 (2024) eliminates TLS fingerprints over QUIC, making it currently the hardest to detect.
Protocol Stack Overview
| Transport | Encryption | Obfuscation | Multiplexing | Anti-Censorship | |
|---|---|---|---|---|---|
| HTTP CONNECT | TCP | None | None | No | Very Low |
| SOCKS5 | TCP/UDP | None | None | No | Very Low |
| Shadowsocks | TCP/UDP | AEAD (AES/ChaCha) | Optional obfs | mux (smux) | Low (AEAD can be identified) |
| VMess | TCP | AEAD | Optional obfs | mux | Medium |
| Trojan | TCP+TLS | TLS | Masquerades as HTTPS (CDN fallback) | mux | Medium-High (TLS handshake can be probed) |
| VLESS+REALITY | TCP+TLS | TLS+XTLS Vision | Masquerades as real website (microsoft.com) | mux (XUDP) | High (Active probing ineffective) |
| Hysteria2 | UDP (QUIC) | QUIC+TLS 1.3 | salamander obfs (anti-fingerprint) | QUIC native | Very High (No TLS fingerprint) |
Key Design Points of Each Protocol
Shadowsocks → AEAD Fingerprint Issue
Shadowsocks' AEAD cipher (AES-128-GCM) produces ciphertext with a fixed pattern during the handshake phase (salt + encrypted payload). The GFW can identify it through active probing (sending a Shadowsocks handshake → expecting a response of a specific size). After 2020, a large number of Shadowsocks servers were blocked.
VMess → Custom Protocol
Uses a custom encryption protocol instead of standard TLS. The GFW identifies VMess traffic characteristics (non-TLS encrypted data streams) through deep packet inspection (DPI). It can be obfuscated by pairing with WebSocket + CDN relay.
Trojan → TLS Masquerade
Trojan mimics HTTPS: the handshake phase uses standard TLS (SNI points to a normal website), so the GFW sees an "ordinary HTTPS connection." However, active probing (GFW sends ClientHello → Trojan server returns an abnormal Certificate) may lead to identification.
VLESS+REALITY → Complete Masquerade
VLESS removes UUID verification, relying on TLS+XTLS Vision for encryption and flow control. REALITY masquerades the TLS handshake as accessing a real, existing website (e.g., www.microsoft.com):
Hysteria2 → Fingerprint-less QUIC
QUIC itself has no identifiable TLS fingerprint (unlike the fixed byte pattern of TCP+TLS). Hysteria2 adds salamander obfs to obfuscate the QUIC packet headers → does not match the QUIC standard → cannot be identified by a QUIC detector.
References
- REALITY: github.com/XTLS/REALITY
- Hysteria2: v2.hysteria.network/docs
- mihomo: wiki.metacubex.one/config/proxies
Keywords: Shadowsocks, VMess, Trojan, VLESS, REALITY, Hysteria2, AEAD, obfs, salamander, QUIC fingerprint