How to live with DumpProxy in today's world

[fdoo24]

I came across an article https://habr.com/ru/articles/1020080/ about a critical client vulnerability for VLESS.
How is Dump Proxy doing in this regard?

[Snawoot]

Hello,

Let's keep this community inclusive and use English for communication. Regarding your question:

Dumbproxy on remote server (e.g. VPS) can't be a subject of that problem at all. There is no local port to probe.

Dumbproxy on a client, operating as a forwarder to remote proxy with authentication, can be probed by a local application such as MAX. But I hardly consider this a vulnerability: the goal of such local proxy is to allow any local application through remote proxy. Similarly, if MAX will start exfiltrating your personal files to remote server, it won't be a vulnerability of operating system holding these files, it will be a malicious behavior of that offending application.

Practical advices are:

1. Don't run software which is known for malicious activity in the first place.
2. On Android, consider using TrustTunnel client for DumbProxy server - as far as I know it has no local port to probe and they have full compatibility.
3. On PC, if you're using dumbproxy as a forwarder to remote dumbproxy server, you have following options:
   • Enable password-based authorization on local proxy as well, so prober without credentials won't be able to gain access.
   • Bind proxy on a hard-to-guess address-port such as 127.1.2.3:1234 (entire 127...* network is a loopback). This will deter some simple probers.
   • If you know in advance which resources are get probed by MAX, you can just disable access to them on your local proxy server (client part) with a filter or allow direct access to these resources: https://github.com/SenseUnit/dumbproxy/wiki/Recipe:-routing-certain-domains-through-a-proxy

[Dituar]

I have another question about the modern world (in Russia): I followed the instructions at https://github.com/SenseUnit/easy-dp https://habr.com/ru/posts/982670/ in two different countries. But apparently, blocked by DPI. Or is it impossible to use an HTTPS proxy to bypass the blocking?
How is it for you? I wanted to collect some statistics.

[Snawoot]

Situation really depends on hosting provider. Sometimes it just works for less popular hosting providers. Sometimes some SNI spoofing is required: some whitelisted values like vk.com or ads.x5.ru used to help for hosting providers like Hetzner, DigitalOcean, Vultr, ...