2025 latest overseas Chinese free movie website, continuously updating free movies and TV series, no ads, no membership, no lag
SQLSTATE[22007]: Invalid datetime format: 1366 Incorrect string value: '\xAC15\xE9\x9B\x86...' Solution
2025 CloudFlare How to configure preferred IP Free CDN to accelerate your website, monthly preferred IP sharing
Free Office full version download - Use Microsoft Office software forever

What is Reality Protocol

REALITY replaces the traditional TLS service, which can eliminate the server-side TLS fingerprint feature while retaining forward secrecy and other functions, and certificate chain attacks are also ineffective. Such security exceeds that of conventional TLS. Using REALITY, you can point to other people's websites without having to purchase domain names and configure TLS servers yourself, which is more convenient. At the same time, it realizes the full-process real TLS that presents the specified SNI to the middleman.

Xray-core's new protocol Reality introduction

Replacing the traditional TLS service can eliminate the server-side TLS fingerprint feature while retaining forward secrecy and other functions, and certificate chain attacks are also ineffective. Such security exceeds that of conventional TLS. Using REALITY, you can point to other people's websites without having to purchase domain names and configure TLS servers yourself, which is more convenient. At the same time, it realizes the full-process real TLS that presents the specified SNI to the middleman.

  1. The design maximizes the safety level, limits the scope of human control, and minimizes the impact of human factors.
  2. Trust the server, not the client, and even assume that all node information held by the client is leaked
  3. The server is selective with the client, for example, rejecting clients with lower versions -core connection, to prevent outdated clients from harming the server due to improper implementation, such as outdated fingerprints
    In the future, the server can also send information to the client, informing the client that a new version is available/informing the client that the version is too low and requiring an update, otherwise it will no longer be supported after a certain period of time.

Usually used for proxy purposes, the minimum standard for the target website is a foreign website that supports TLSv1.3 and H2, and the domain name is not used for redirection (the main domain name may be used to redirect to www). Bonus points include: the target IP is close to the proxy IP (more similar, and with low latency), encrypted together in the handshake message after Server Hello (such as dl.google.com), and has OCSP Stapling.

In terms of configuration, traffic back to China is prohibited, and ports such as TCP/80 and UDP/443 are forwarded (REALITY appears to the outside as port forwarding, and it may be better if the target IP is unpopular).

REALITY can also be used with proxy protocols other than XTLS, but this is not recommended because they have obvious and targeted TLS in TLS characteristics.
The next major goal of REALITY is "pre-built mode", which means collecting target website features in advance. The next major goal of XTLS is 0-RTT.

REALITY does not support CDN.

The server-side implementation is a fork of the latest Go tls package.

For clients, please pay attention to:https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go.

If REALITY is used to replace TLS, the server-side TLS fingerprint feature can be eliminated, forward secrecy can be initialized, and certificate chain attacks are invalid, with security exceeding that of regular TLS.
You can point to other people's websites, consume your own domain name, configure TLS server, conveniently, and realize the whole process of real TLS to the middleman to carry the specified SNI

Usually used as a proxy, the minimum standard of the target website: foreign websites, support TLSv1.3 and H2, domain name is not used for redirection (the main domain name may be used to redirect to www)
Bonus points: IP is similar (most likely, and latency is low), handshake messages after Server Hello are encrypted together (such as dl.google.com), OCSP Stapling is available
Configuration bonus: prohibit return traffic, TCP/80, UDP/443 are also forwarded (REALITY is externally manifested as port forwarding, the target IP may be unpopular or beautiful)

REALITY can also be used with proxy protocols other than XTLS, but this is not recommended because they have obvious and well-known TLS signatures.
The next major goal of REALITY is "pre-built mode", which means collecting target website features in advance. The next major goal of XTLS is 0-RTT.

 

What is REALITY Protocol-1

REALITY clients should receive theTemporary authentication key"Issued"Temporary trusted certificates”, but the following will receive the target website’s real certificate:

  1. REALITY The server rejected the client's client. Hello, the traffic was directed to the target website.
  2. The client's client is redirected to the target website by the middleman
  3. A man-in-the-middle attack, which may be assisted by the target website or a certificate chain attack

The REALITY client can perfectly distinguish between temporary trusted certificates, real certificates, and invalid certificates, and decide the next action:

  1. When the temporary trusted certificate is received, the connection is available and everything goes as usual
  2. When receiving the real certificate, enter crawler mode
  3. TLS alert when invalid certificate is received
1/5 - (2 votes)

Leave a Reply

Your email address will not be published. Required fields are marked *