二階堂 真紅

Hmm, why not use a ElGamal-like method to identify users?

From my comments in #36 : > Just put a timestamp into the request header, then the server verifies that the timestamp should not exceed the server's local time +/-...

@madeye First of all, I don't think anyone has performed replay attacks because the same request will lead to unexpected result such as submitting a form twice. But if there...

Yep those requests have nothing to do with our protocol and are simply dropped. @Mygod And what will you do if the banned IP performs more requests? This can be...

@wongsyrone No, it should be checked after authentication of the request header. Authentication must be done in the very first, which is the common practice. It makes no sense that...

That's not shadowsocks anymore... Handshakes will generate extra traffic, which I think is not what shadowsocks wants. And if we need it why not use TLS directly?

@riobard Well, you're right. However, it may be a bit too far beyond shadowsocks... If a user know the pre-shared key and is able to perform a MitM attack then...

Yeah, it should be considered carefully. But I think we can adopt @madeye 's method at first and make it an experimental feature. Finally we stabilize a future-proof version. I...

@JollyTRjano I think this can only work with a single provider, or a small group of providers who trust each other. Or the protocol must only allow the trusted provider...