Proton announces release of a new VPN protocol, "Stealth"

Original Article ↗ Hacker News Discussion ↗

Scope and Goal of Stealth

  • Designed to evade VPN detection by network “middleboxes” (ISPs, corporate firewalls, national filters) rather than by service endpoints (e.g., Netflix, games).
  • Uses obfuscated TLS tunneling over TCP, intending to look like ordinary HTTPS traffic and conceal that a VPN is in use.

Detection: Endpoints vs. Middleboxes

  • Several comments note this will not help against services that block VPNs via IP reputation databases; they primarily care whether an IP is residential or from known VPN/datacenter ranges.
  • Bypassing endpoint blocks still often requires self‑hosted VPNs on home connections or obtaining residential IPs, which is difficult and sometimes shady.

Effectiveness in Heavily Censored Countries

  • Multiple participants question whether it works reliably in China, Russia, Iran.
  • Reports:
    • China: users say many mainstream VPNs fail during “sensitive periods”; special “airport/ladder” services with custom protocols are more reliable. Some say any large, persistent foreign traffic gets disrupted regardless of protocol.
    • Russia: at least one report and an open Android issue suggest Stealth often fails; another anecdote says “doesn’t work”.
  • Consensus: evasion is a cat‑and‑mouse game; results vary by provider, network, time, and traffic volume.

Technical Design and Comparisons

  • Several infer from Proton’s Android app that Stealth is effectively “WireGuard over TLS”.
  • Compared to longstanding approaches like OpenVPN over TCP/TLS, stunnel, Trojan, Shadowsocks, VLESS/VMess.
  • Concerns:
    • TCP-over-TCP “meltdown” and performance issues.
    • Traffic pattern analysis may still identify a single endpoint carrying all device traffic.
    • Some wish it used QUIC/HTTP3‑like patterns instead.

Open‑ness, Documentation, and Adoption

  • Many criticize the lack of protocol details, specs, and reference implementations.
  • Unclear whether Stealth is intended as an open standard or proprietary Proton‑only feature.

Trust, Logging, and Threat Models

  • Heated debate over Proton’s trustworthiness, referencing ProtonMail’s legal logging case vs. ProtonVPN’s no‑logs court and audit claims.
  • Some argue any VPN should be treated as untrusted; others value demonstrated legal track record.
  • Extreme threat‑model discussions (multi‑hop Tor+VPN, custom VPS, “paranoid” setups) are acknowledged as overkill for most users.

User Experience Reports

  • Mixed experiences: some can’t connect in China without another VPN; others note Stealth failed on BBC iPlayer while WireGuard worked.
  • Complaints that Stealth isn’t available on Linux and that Proton’s Linux client is weaker, making some feel second‑class.