HackerTrans
トップ新着トレンドコメント過去質問紹介求人

ameshkov

no profile record

投稿

Show HN: MCP-compress-router – MCP Compressor

github.com
1 ポイント·投稿者 ameshkov·15 日前·0 コメント

TLS Certificate Mis-Issuance Exposes 1.1.1.1 DNS Service to Exploitation

gbhackers.com
2 ポイント·投稿者 ameshkov·10 か月前·0 コメント

Ten years in the wrong regex lane

adguard.com
5 ポイント·投稿者 ameshkov·10 か月前·0 コメント

コメント

ameshkov
·5 か月前·議論
Love the idea, made a Windsurf-compatible version: https://github.com/ameshkov/peon-ping-windsurf
ameshkov
·6 か月前·議論
No, but it's a very good point, we'll add it to the backlog
ameshkov
·6 か月前·議論
In Cyprus, companies are usually incorporated via a corporate service provider, who also provides the registered office address and PO Box services. Basically, if you need to reach out to us by mail, you should use the "legal address" from the website.
ameshkov
·6 か月前·議論
For example, in some countries it's either slowed down or outright blocked.
ameshkov
·6 か月前·議論
Actually, no, we don't resolve them. We scan the incoming ClientHello before making a decision on where to route the connections. If the connection should be bypassed we make a connection by ourselves and proxy traffic. Implementing it that way requires having a TCP stack right in the client.
ameshkov
·6 か月前·議論
Well, Google is like a small country and some parts of it are very good guys that are genuinely interested in being a "user agent".
ameshkov
·6 か月前·議論
Uh, I guess it's a little bit off-topic here:) It's hard to say what's more harmful, I'd say cookies still take #1, but I think we're not far from the moment when your email address or its derivative will be used as the main advertising ID. Regarding evolution, well, definitely possible, the time will show.
ameshkov
·6 か月前·議論
This is actually supported by both the client and the server.

To use it in mobile clients you need to specify two domain names like that: fake-sni.com|domain.com where “fake-sni.com” is the domain thay will be in the SNI and “domain.com” is the domain in your TLS certificate (used to check the server’s authenticity)
ameshkov
·6 か月前·議論
There are no shady alleys in Cyprus:)

We have only one office in Limassol, the company is mostly remote: https://maps.app.goo.gl/pounSEQqBvYftZGZ6?g_st=ic

(we are moving to a bit bigger office in the neighboring building, no nice photos on google yet)

We do not have a dedicated team page on the website, but we’re not hiding our faces, the team can be found on Github. Members of the team often visit AFDS [1] [2], you can see some faces there (including mine).

[1]: https://adfilteringdevsummit.com/

[2]: https://youtube.com/playlist?list=PL61EKVIQWizG0tIYqNDoenVaO...
ameshkov
·6 か月前·議論
Hi, thank you very much for supporting AG!

We are very cautious with Apple as we suffered from them before [1]. So we're trying to stick to the APIs they provide. I hope the new URL filtering API [2] will improve the situation with the system-wide filtering, but our request for API access is still being reviewed by Apple.

Regarding jailbroken iOS devices, unlike Android the numbers are really marginal so it won't be feasible to support them.

[1]: https://adguard.com/en/blog/adguard-pro-discontinued.html

[2]: https://adguard.com/en/blog/apple-url-filter-system-wide-fil...
ameshkov
·6 か月前·議論
You mean in TrustTunnel apps? You can create a routing profile there and select which domains/ips are bypassed, and then select that routing profile in the vpn connection settings.
ameshkov
·6 か月前·議論
We support both H2 and H3 and this is necessary. QUIC is not bad, but there are places where it either does not work at all or works too slow.

And one more thing, even though the code and spec is only published now, we’ve been using TrustTunnel for a long time, started before CONNECT_UDP became a thing.

We’re considering switching to it though (or having an option to use it) just to make the server compatible with more clients.
ameshkov
·6 か月前·議論
Yay, thank you! :)

I wish we finish with redesigning it nicely this year and finally after all those years we will finally call it v1.0
ameshkov
·6 か月前·議論
More or less, built on top of it with added udp/icmp.

When writing server and client a lot of time is consumed by additional features, not on implementing the spec itself. For instance, in order to be truly stealthy we have to make sure that it looks *exactly* like Chromium on the outside, and then maintain this similarity as Chromium changes TLS implementation from version to version. Or here’s another example: on the server-side we need to have an anti-probing protection to make it harder to detect what the server does.
ameshkov
·6 か月前·議論
Performance reasons aside, TrustTunnel is developed by the team whose main language is C++ (and the client library is actually written in C++) so Rust was a more natural choice for them.
ameshkov
·6 か月前·議論
We do, and from what we know a bigger problem in China is detecting traffic patterns. SNI filtering is not that big of a deal, in order to block your domain it needs to first learn which one you’re using. What for the traffic patterns, people in China prefer to selectively route traffic to the tunnel. For instance, the client apps allow you to route *.cn domains (or any other domains) directly. It makes it harder to detect that you’re using a VPN.
ameshkov
·6 か月前·議論
One interesting thing I’ve noticed is that AdGuard means different things in different parts of the world. In some places, people know us primarily as an ad blocker, in others we’re best known for our DNS service and in some regions AdGuard is associated almost exclusively with our VPN. The reality is that AdGuard makes several different products, not just one.
ameshkov
·6 か月前·議論
Hi, I’m one of the people working on this.

One clarification that may not be obvious: open-sourcing this isn’t primarily about signaling or auditability. If that were the goal, a standalone protocol spec or a minimal reference repo would have been enough.

Instead, we’re deliberately shipping full client and server implementations because the end goal is for this to become an independent, vendor-neutral project, not something tied to AdGuard.

We want it to be usable by any VPN or proxy stack and, over time, to serve as a common baseline for stealthy transports — similar to the role xray/vless play today.

Happy to answer questions or clarify design choices.
ameshkov
·6 か月前·議論
This is not a common issue tbh. What sometimes may happen is that after an iOS update the content blockers in Safari becomes corrupted and the only thing that fixes it is not just a reinstall, but uninstall + reboot + reinstall after that. If even this doesn’t help please contact me at “am at adguard.com”, I will try to help.
ameshkov
·8 か月前·議論
I would advise against using unbound on the client side as this way all your DNS queries will be unencrypted and visible to your ISP. Besides that, the DNS responses can be modified, this kind of censorship is very popular and used in many countries.

IMO it is safer to use a big popular DNS recursor (google, cloudflare, adguard, quad9, etc), use DoT/DoH/DoQ and maybe add some additional filtering on top of it.