32 comments

[ 0.28 ms ] story [ 71.0 ms ] thread
> Hysteria is a powerful, fast and censorship resistant proxy

What a statement.

They add one more at the homepage:

And probably the cutest, too.

Heh, and that subtitle is a link to a page that says:

> Meet Ayaha Hideri, the official anime mascot of Hysteria

I'm sure this would grate on many people, but honestly, I'm here for it.

(comment deleted)
A proxy for what? What type of communication or persuasion are you trying to accomplish?

clicks link

Ooooh, you made a software named "hysteria."

A worthy entry among names like git, gimp, bash, subversion, duplicity, jail, kill and other everyday fare of smart, tongue-in-cheek names in software.
For real! Reading the title I assumed I was going to read about using social media outrage as a method for dissemination of counterintelligence information to the public.
installation:

bash <(curl -fsSL https://get.hy2.sh/)

nah.

(comment deleted)
I just started to write a reply along the lines of

  > at least it doesn't start with "sudo bash", which is a very minor step into the right direction
But then I looked into the script, and changed my mind. I love blindly running Chinese shell scripts with sudo.
Chinese or any other state doesn't mean it's bad. What is bad is piping stuff into bash even if the source 100 percent trusted.
As apposed to downloading a binary, chmoding it, and running it as your user? I honestly don't see the difference unless you only want packages in auditable flatpaks or snaps.
That is one of many methods of installing and this bash crap has been popular for a while so although I don't like it it doesn't mean the project is bad.
I'm kind of flabbergasted people are downvoting this. You shouldn't pipe anything from a random curl'd link into bash, no matter how much you trust it. And if you actually bother to inspect this script, there are a lot of reasons to raise eyebrows.

Or, you can just keep doing this and I'll keep making money from security consulting...

What's the security difference between running a compiled application from a site vs running curl|bash with a script hosted on the same site?
Yeah, the curl|bash approach is approximately as safe as basically any other software installation method, if you trust the owner of the URL as much as you trust the maintainers of NPM, Pypi, etc.
The maintainers of those are not checking packages. You have to inspect the source code to check what it's doing. Same as a script you curl.
Package registry maintainers do often do some things that make it a bit safer than just using things from a random person online: e.g. preventing someone from deleting a popular package, which would enable various sorts of squatting attacks. But, you’re generally right.
you are at the mercy of whatever that link decides to resolve to, which makes it vulnerable to squatting, cache poisoning attacks, etc.
As opposed to other forms of download method?
Installation

Like any proxy software, Hysteria consists of a server and a client. Our precompiled executables includes both modes on all platforms. You can download our latest releases using one of the following options:

* Executable files

* GitHub Releases

* Deployment script for Linux servers

* Arch Linux AUR

* Docker images

* Use 3rd-party apps

* Build from source

The README starts with "Powered by a custom QUIC protocol", which raises some concern. When looking at the protocol doc, I see "standard QUIC transport protocol RFC 9000 with Unreliable Datagram Extension [(RFC 9221 Draft Proposal])."

Is that the extent of the "custom" QUIC protocol?

This is made for people in China under censorship I think. I've used it personally in China and it's a welcome alternative to shadowsocks (it even uses a similar flow of a local socks5 server) if you have an unblocked server you have access to (China fingerprints normal socks5 traffic).

It's slightly better in terms of robustness (since its less used) but eventually the firewall realizes you're only connecting to one server so it blocks outgoing large amounts of traffic to any IP. I've found using shadowsocks on one IP, using hysteria on another, and using proxy.pac to intersperse the two works best.

I'm surprised at all the negative comments here, its clear that the context of the project was not understood.

Could this work as a pluggable transport for Tor in China?

An advantage is you wouldn't be connecting to a single proxy, but a (small, configurable) number of bridges

In some US states where TikTok is banned, this can be used to access it.
An SSH tunnel is more than enough for that purpose.