How does a Trojan proxy evade DPI by being "indistinguishable" from normal HTTPS?
It speaks genuine TLS 1.3 on port 443 to a real domain with a valid certificate, and falls back to a real website on a wrong password — so DPI sees nothing but ordinary HTTPS.
* Trojan proxy — a wrong password (or a probe) just yields an innocent website, so DPI sees ordinary HTTPS. *
A Trojan proxy is a proxy protocol designed so its traffic looks exactly like normal HTTPS, defeating filters and censorship. Its core principle is indistinguishability:
- Real TLS 1.3 — the standard TLS protocol, just like a browser.
- Port 443 — the standard HTTPS port, nothing unusual.
- Valid SSL certificate — a real domain with e.g. a Let's Encrypt certificate.
- Fallback website — on a wrong password, the server simply serves a real website.
Step by step: (1) client starts a TLS handshake with the Trojan server (looks like normal HTTPS); (2) client sends a password in the TLS-encrypted channel (hashed with SHA-224); (3) server checks the hash — correct → proxy mode, wrong → just show the website; (4) on success, a TLS tunnel carries arbitrary traffic.
Result: DPI cannot distinguish Trojan from normal HTTPS — and probing the server just shows an innocent website.
Tip: The fallback site is the clever bit — an active censor who connects to probe the server sees a perfectly normal website, so there's nothing suspicious to block.