The Tholian Network operates the tholian.network domain,
which allows us to create certificates for each username.
In the following examples, alice and bob try to communicate, each
owning their local TLS certificate in the Stealth Profile folder.
DNS-based Service Discovery, otherwise known as Bonjour or Zeroconf networking allows each Stealth instance to discover other peers locally.
Multicast DNS interaction is compatible with DNS-SD and operates on the
multicast addresses 244.0.0.251 and ff02::fb on port 5353 and,
as all other Stealth Service APIs, also on port 65432.
- Alice started her Stealth Browser and it tries to find other Peers.
- Alice's Stealth Browser sends out a
PTRquestion for_stealth._wss.tholian.localand_stealth._ws.tholian.localvia Multicast DNS. - Bob's Stealth Browser answers with a
PTRentry pointing tobob.tholian.local, and additionally sends his local IPs (AandAAAA) and a service descriptor (SRV). - Bob's response also contained a
TXTentry with the Stealth Browser version and the publicbob.tholian.localTLS certificate. - Alice's Stealth Browser listened to the Multicast DNS address and discovered Bob's Stealth Browser successfully.
- Alice can now ask Bob whether he wants to add her as a Trusted Peer.
- If Bob confirms Alice as a Peer, both will have themselves as Trusted Peers, with their pinned TLS certificates.
The Radar Service APIs are compatible with the Stealth Service APIs,
so Radar instances can also be used as a TURN server to discover
other peers.
DNS interaction with the Radar Service operates on the domain
radar.tholian.network on port 65432.
- Alice wants to go online and changes the Internet Setting in her Stealth Browser to Broadband or Mobile.
- Alice's Stealth Browser sends out a
SRVquestion for_stealth._wss.tholian.networkvia DNS. - Radar Service replies with a service descriptor (
SRV). - Alice's Stealth Browser connects to the Radar Service via a
WS/13Connection and asks for Peers. - Radar Service replies with a list of Peers, which come presorted for Alice.
- Alice can now share her Browser Cache with other Peers, if she chooses to add them as Trusted Peers.
An important side note:
Radar Service maintains a list of active Online Peers that might or might not have a working ISP that allows them to reach the Internet. Peers are therefore presorted so that e.g. Alice receives Peers that are not only inside her ISP's NAT, but which are also from other ISPs in her country and from other countries as well. This guarantees that Alice can always at least use one type of Peer in order to avoid censorship and MITM blocking of websites.
Peers are categorized in different types, in order to be able to guarantee that Peers can always find other Peers; even when their ISP is blocking (almost) all ways to communicate with the Internet.
If the ISP offers end-to-end IPv6 with a global scope, PWNAT is enough to fully to break out of NAT
restrictions. This was tested and confirmed with 1und1, kabelbw, telefonica/o2, t-mobile DE/CH/US,
t-online, and vodafone as internet providers. The likeliness of IPv6 support is higher with mobile
carrier-grade NATs, so it's recommended to try out a mobile SIM as a gateway if your cable ISP doesn't
provide IPv6 support.
The Radar Service's Peer API categorizes suitable Peers by the following criteria:
- Same ISP, same NAT
- Same ISP, different NAT
- Different ISP, same country
- Different ISP, different country
As some NATs or Firewalls might not want to cooperate in above explained scenarios, the Stealth Browser instances transparently switch between these network protocols:
WSConnection as the primary Stealth-to-Stealth Service API communication protocol.SOCKSConnection to relay connections via other locally or globally reachable Peers.HTTPandHTTPSConnection to encapsulate other protocols via binary frames.WSConnection to encapsulate other protocols viabinaryframes.DNS,DNSHandDNSSConnection to encapsulate other protocols viaTXTframes.ICMPConnection to encapsulate other protocols via binary frames.
In order to break out of NATs reliably, Stealth features a Multicast DNS-based Service Discovery
and an ICMP Connection that can break out of Router's that rely on ICMP to identify and map their
Network Topologies.
Additionally, every Connection implementation can encapsulate (and exfiltrate) traffic of other encrypted TLS communication channels, which helps avoiding detection of Firewalls that are rule based (and cannot detect e.g. HTTP/S traffic smuggling reliably).
A single point of failure is always the public DNS resolver that can be blocked out by Firewalls, which happens a lot in Enterprise NAT environments. In order to prevent a single endpoint that can be blocked, the Stealth Browser implements a peer-to-peer DNS Ronin based resolver Network Service, which rotates the public DNS resolver endpoints in case a DNS request is necessary.
This way, a statistical correctness is assumed and if more than 66.66% of the three randomized DNS
resolvers agree upon a mutual answers and records section in the DNS responses, it is assumed to
be a valid response.
All DNS traffic additionally is encrypted via DNS via HTTPS or DNS via TLS, whereas the latter is
usually blocked off in Enterprise NAT environments because DNS via TLS operates on the dedicated port
853 which is very easy to block in practice.
If the Internet cannot be contacted by a Peer itself, the DNS traffic is redirected via other locally discovered Peers which have a known-to-work Internet Connection.
If the local Peers already have the related Hosts Settings for the domain in question in their Browser
Profile, it is shared with the requesting Peer without making an additional DNS request to a public DNS
resolver.
If the local Peers do not have the related Hosts Settings in their Browser Profile, they will function
as a DNS Resolver Service and relay the DNS traffic to the list of public DNS via HTTPS/TLS resolvers via
above described DNS Ronin based resolver.