XTLS/Xray-core#4113

REALITY disguises itself during the TLS handshake and certificate delivery, returning certificates and initial data that appear to be from a legitimate website during the handshake, making the TLS connection and access to "major" HTTPS websites difficult to distinguish. The GFW risks accidentally blocking legitimate websites if it wants to block them.

The honest answer: they sometimes do, increasingly so, and that's why this is an active arms race rather than a settled problem.

Below is why an SNI↔IP correlation check is harder than it looks, why Russian TSPU and the GFW don't apply it universally, and how REALITY's design tries to defeat it anyway.

Скачать Exclave можно на:

• F-Droid: https://f-droid.org/en/packages/com.github.dyhkwong.sagernet/
• GitHub: https://github.com/dyhkwong/Exclave/releases

1. Открыть Exclave

☰ → Settings → Route → ⋮ → Manage route assets

I hereby claim:

• I am crabvk on github.
• I am crabvk (https://keybase.io/crabvk) on keybase.
• I have a public key whose fingerprint is 0491 551F A97A 5960 0D46 AEB0 C6C4 6476 220B 5552

To claim this, I am signing this object: