Security Model & Trade-offs
Surge's official position on Snell's security design — no forward secrecy, no replay protection, a cost-tuned PSK KDF — re-evaluated against OpenSnell's own protocol analysis. What each trade-off buys, and what it actually costs.
Surge documents Snell's security posture as a set of deliberate performance-security trade-offs, not as oversights. This page reproduces that official position, then re-evaluates each claim against the evidence-based findings in Comparison with other protocols. The goal is the same as that page's: honest, citable, no advocacy.
The framing below is Surge's, quoted and paraphrased from the Snell release notes. The re-evaluation under each point is OpenSnell's, and it agrees with Surge on the design rationale while keeping the technical caveats that the comparison page already documents.
Surge's official position
Snell is a proxy protocol designed with performance as its primary objective. As a deliberate design trade-off, it omits certain security properties and uses lighter-weight cryptographic parameters where the associated overhead would have a measurable impact on performance.
If your primary goal is maximizing security guarantees rather than minimizing overhead, we recommend using a TLS-based proxy protocol instead.
The headline is worth taking at face value: Snell optimizes for latency, CPU, and throughput, and spends security margin to get there. If your threat model needs forward secrecy, replay freshness, or per-user identity, the honest answer — Surge's and ours — is to use a TLS-wrapped transport (see the wrapper discussion in § Anti-censorship behavior).
The three trade-offs Surge calls out explicitly, each re-evaluated:
1. No forward secrecy
Surge's rationale. Forward secrecy requires an ephemeral key exchange so session keys aren't derived solely from a long-term secret. Snell is a 0-RTT protocol: application traffic is authenticated and encrypted immediately from the pre-shared key, with no round trip. Adding forward secrecy would require a key-exchange phase before any application data could be sent, increasing connection-establishment latency and protocol complexity.
Re-evaluation. The rationale is sound and the latency argument is real — a 0-RTT PSK protocol genuinely cannot have forward secrecy without giving up the 0-RTT property. But the consequence is concrete and worth stating plainly:
| Event | Consequence under Snell |
|---|---|
| Attacker captures ciphertext now, obtains the PSK later | Every past and future capture under that PSK becomes decryptable retroactively |
This is the "Cryptographic (with PSK / credential)" row of the findings matrix: a PSK leak yields full plaintext for all sessions, not just future ones. Note this is not unique to Snell — Shadowsocks 2022 is also a 0-RTT PSK protocol with no forward secrecy. The protocols that win this axis (TLS 1.3 wrappers like shadow-TLS / REALITY) do an ephemeral ECDHE handshake and pay exactly the round-trip cost Surge is declining to pay.
2. No dedicated replay protection
Surge's rationale. Replay protection is not a universal property of Internet protocols, and many widely deployed protocols operate securely without anti-replay state. Surge further argues that some proxy protocols historically identified via replay were primarily affected by the lack of authenticated encryption and integrity protection rather than the absence of replay protection itself — and that Snell uses AEAD throughout, so modified or forged traffic is rejected.
Re-evaluation. This is the one claim that needs the most care, because it conflates two distinct properties:
- Integrity — "this ciphertext was not modified or forged." AEAD provides this. Surge is correct here.
- Freshness — "this is not a replay of an earlier valid message." AEAD does not provide this, and Snell ships no separate mechanism (salt cache, timestamp window, key expiry) that does.
A replayed unmodified Snell session passes every AEAD tag check perfectly, because the attacker replays the original salt and the original nonce sequence verbatim. So the argument "AEAD fixes the replay problem" does not hold for Snell specifically: Snell has AEAD and is still replayable. The comparison page demonstrates this concretely:
An attacker can capture a complete client session and replay the exact byte sequence to the same server later. The server Argon2-derives a fresh key from the (captured) salt, every GCM tag verifies, and the original CONNECT is re-executed — re-fetching the URL, re-triggering upstream side effects. See § Replay protection for the step-by-step.
Surge's broader point still lands as a threat-model statement: if your adversary is a passive censor or you only care about confidentiality of content, replay of an opaque encrypted session changes little. It is the active-censor and side-effecting-upstream cases where the absence bites. Shadowsocks 2022 (60 s salt cache + ±30 s timestamp) and mieru (replay cache + minute timestamp + time-derived key) both close this; Snell deliberately does not.
3. Cost-tuned PSK key derivation
Surge's rationale. Snell's PSK KDF parameters are intentionally tuned
to reduce computational cost compared to more conservative,
security-focused configurations. Even so, brute force stays impractical
with a sufficiently random PSK: a random PSK of 12+ characters already
exceeds the reach of exhaustive search, and Surge recommends the
32-character random PSK emitted by the snell-server setup wizard.
Their figure: even at an optimistic 1018 candidate keys per
second, exhausting the key space takes ~1031 years.
Re-evaluation. Snell's KDF is Argon2id(t=3, m=8 KiB, p=1), run once
per flow (see Protocol reference and
QUIC mode). The cost tuning is real — 8 KiB and t=3 is well
below what a password-hashing config would normally use. The honest framing
is about what the KDF is actually protecting:
- Memory-hard KDFs exist to protect weak / human-chosen PSKs
(
mypassword123) from offline brute force out of a captured handshake. Atm=8 KiB, Argon2id raises that cost meaningfully versus a single SHA-256 round, but not to the level a high-security config would target. - With a random 32-character PSK, the KDF cost is almost irrelevant. As the comparison page notes, you cannot brute-force a 128-bit-plus random secret regardless of how slow the KDF is. The security rests on PSK entropy, not on the KDF parameters — which is exactly why Surge's 1031-year figure assumes a random 32-char key, not a weak one.
The practical upshot is a single instruction: use a long random PSK.
OpenSnell's installer follows Surge's recommendation directly —
gen_psk and the Docker entrypoint generate 32-character random PSKs
out of the box (see Install). A hand-picked short password
is the one input that turns the cost-tuned KDF into a genuine liability.
Summary
| Trade-off | Surge's rationale | Holds up? | The residual cost |
|---|---|---|---|
| No forward secrecy | 0-RTT can't have PFS without a round trip | Yes | PSK leak retroactively decrypts all captures (shared with SS-2022) |
| No replay protection | AEAD rejects forged/modified traffic | Partly | AEAD ≠ freshness; unmodified sessions are replayable |
| Cost-tuned KDF | Strong random PSK makes brute force infeasible | Yes, conditionally | Security rests on PSK entropy — use a long random PSK |
None of these are bugs in OpenSnell or in Snell; they are the protocol behaving as designed. The decision they ask of you is a threat-model one, and it is the same decision Surge states up front: if you need the guarantees Snell trades away, run a TLS-based transport. If you accept the trade and pick a strong PSK, Snell delivers the latency and throughput it was optimized for.
References
- Surge Snell release notes — Surge's official statement on Snell's security design and the source of the quotes above.
- Comparison with other protocols — the full adversary-by-adversary analysis these re-evaluations draw on.
- Protocol reference § Key derivation and QUIC mode — where the Argon2id parameters are documented.
Comparison with Other Protocols
A protocol-level comparison of OpenSnell's Snell (v4/v5, plus where v6's per-deployment diversity shifts the picture) with Shadowsocks 2022 (SIP022) and mieru TCP — what each defends against, what each leaks on the wire, and which threat model picks which.
Performance
Where the Go implementation stood vs. the official C/libuv binary, what we changed, and where we land today.