OpenSnell

Security Model & Trade-offs

Surge's official position on Snell's security design — no forward secrecy, no replay protection, a cost-tuned PSK KDF — re-evaluated against OpenSnell's own protocol analysis. What each trade-off buys, and what it actually costs.

Surge documents Snell's security posture as a set of deliberate performance-security trade-offs, not as oversights. This page reproduces that official position, then re-evaluates each claim against the evidence-based findings in Comparison with other protocols. The goal is the same as that page's: honest, citable, no advocacy.

The framing below is Surge's, quoted and paraphrased from the Snell release notes. The re-evaluation under each point is OpenSnell's, and it agrees with Surge on the design rationale while keeping the technical caveats that the comparison page already documents.

Surge's official position

Snell is a proxy protocol designed with performance as its primary objective. As a deliberate design trade-off, it omits certain security properties and uses lighter-weight cryptographic parameters where the associated overhead would have a measurable impact on performance.

If your primary goal is maximizing security guarantees rather than minimizing overhead, we recommend using a TLS-based proxy protocol instead.

The headline is worth taking at face value: Snell optimizes for latency, CPU, and throughput, and spends security margin to get there. If your threat model needs forward secrecy, replay freshness, or per-user identity, the honest answer — Surge's and ours — is to use a TLS-wrapped transport (see the wrapper discussion in § Anti-censorship behavior).

The three trade-offs Surge calls out explicitly, each re-evaluated:

1. No forward secrecy

Surge's rationale. Forward secrecy requires an ephemeral key exchange so session keys aren't derived solely from a long-term secret. Snell is a 0-RTT protocol: application traffic is authenticated and encrypted immediately from the pre-shared key, with no round trip. Adding forward secrecy would require a key-exchange phase before any application data could be sent, increasing connection-establishment latency and protocol complexity.

Re-evaluation. The rationale is sound and the latency argument is real — a 0-RTT PSK protocol genuinely cannot have forward secrecy without giving up the 0-RTT property. But the consequence is concrete and worth stating plainly:

EventConsequence under Snell
Attacker captures ciphertext now, obtains the PSK laterEvery past and future capture under that PSK becomes decryptable retroactively

This is the "Cryptographic (with PSK / credential)" row of the findings matrix: a PSK leak yields full plaintext for all sessions, not just future ones. Note this is not unique to Snell — Shadowsocks 2022 is also a 0-RTT PSK protocol with no forward secrecy. The protocols that win this axis (TLS 1.3 wrappers like shadow-TLS / REALITY) do an ephemeral ECDHE handshake and pay exactly the round-trip cost Surge is declining to pay.

2. No dedicated replay protection

Surge's rationale. Replay protection is not a universal property of Internet protocols, and many widely deployed protocols operate securely without anti-replay state. Surge further argues that some proxy protocols historically identified via replay were primarily affected by the lack of authenticated encryption and integrity protection rather than the absence of replay protection itself — and that Snell uses AEAD throughout, so modified or forged traffic is rejected.

Re-evaluation. This is the one claim that needs the most care, because it conflates two distinct properties:

  • Integrity"this ciphertext was not modified or forged." AEAD provides this. Surge is correct here.
  • Freshness"this is not a replay of an earlier valid message." AEAD does not provide this, and Snell ships no separate mechanism (salt cache, timestamp window, key expiry) that does.

A replayed unmodified Snell session passes every AEAD tag check perfectly, because the attacker replays the original salt and the original nonce sequence verbatim. So the argument "AEAD fixes the replay problem" does not hold for Snell specifically: Snell has AEAD and is still replayable. The comparison page demonstrates this concretely:

An attacker can capture a complete client session and replay the exact byte sequence to the same server later. The server Argon2-derives a fresh key from the (captured) salt, every GCM tag verifies, and the original CONNECT is re-executed — re-fetching the URL, re-triggering upstream side effects. See § Replay protection for the step-by-step.

Surge's broader point still lands as a threat-model statement: if your adversary is a passive censor or you only care about confidentiality of content, replay of an opaque encrypted session changes little. It is the active-censor and side-effecting-upstream cases where the absence bites. Shadowsocks 2022 (60 s salt cache + ±30 s timestamp) and mieru (replay cache + minute timestamp + time-derived key) both close this; Snell deliberately does not.

3. Cost-tuned PSK key derivation

Surge's rationale. Snell's PSK KDF parameters are intentionally tuned to reduce computational cost compared to more conservative, security-focused configurations. Even so, brute force stays impractical with a sufficiently random PSK: a random PSK of 12+ characters already exceeds the reach of exhaustive search, and Surge recommends the 32-character random PSK emitted by the snell-server setup wizard. Their figure: even at an optimistic 1018 candidate keys per second, exhausting the key space takes ~1031 years.

Re-evaluation. Snell's KDF is Argon2id(t=3, m=8 KiB, p=1), run once per flow (see Protocol reference and QUIC mode). The cost tuning is real — 8 KiB and t=3 is well below what a password-hashing config would normally use. The honest framing is about what the KDF is actually protecting:

  • Memory-hard KDFs exist to protect weak / human-chosen PSKs (mypassword123) from offline brute force out of a captured handshake. At m=8 KiB, Argon2id raises that cost meaningfully versus a single SHA-256 round, but not to the level a high-security config would target.
  • With a random 32-character PSK, the KDF cost is almost irrelevant. As the comparison page notes, you cannot brute-force a 128-bit-plus random secret regardless of how slow the KDF is. The security rests on PSK entropy, not on the KDF parameters — which is exactly why Surge's 1031-year figure assumes a random 32-char key, not a weak one.

The practical upshot is a single instruction: use a long random PSK. OpenSnell's installer follows Surge's recommendation directly — gen_psk and the Docker entrypoint generate 32-character random PSKs out of the box (see Install). A hand-picked short password is the one input that turns the cost-tuned KDF into a genuine liability.

Summary

Trade-offSurge's rationaleHolds up?The residual cost
No forward secrecy0-RTT can't have PFS without a round tripYesPSK leak retroactively decrypts all captures (shared with SS-2022)
No replay protectionAEAD rejects forged/modified trafficPartlyAEAD ≠ freshness; unmodified sessions are replayable
Cost-tuned KDFStrong random PSK makes brute force infeasibleYes, conditionallySecurity rests on PSK entropy — use a long random PSK

None of these are bugs in OpenSnell or in Snell; they are the protocol behaving as designed. The decision they ask of you is a threat-model one, and it is the same decision Surge states up front: if you need the guarantees Snell trades away, run a TLS-based transport. If you accept the trade and pick a strong PSK, Snell delivers the latency and throughput it was optimized for.

References

On this page