Thank you very much for a detailed answer. Might I rudely ask -- as you're knowledgeable in this space, what do you think of Mullvad's DAITA, which specifically aims to defeat traffic analysis by moving to a more pulsed constant bandwidth model?
Thank you very much for a detailed answer. Might I rudely ask -- as you're knowledgeable in this space, what do you think of Mullvad's DAITA, which specifically aims to defeat traffic analysis by moving to a more pulsed constant bandwidth model?
DAITA was introduced after my time in the industry, but this isn't a new idea (though as far as I know, it's the first time this kind of thing's been commercialized).
It's clever. It tries to defeat attacks against one of the tougher parts of VPN connections to reliably obfuscate, and the effort's commendable, but I'll stop short of saying it's a good solution for one big reason: with VPNs and censorship circumvention, the data often speaks for itself.
A VPN provider working in this space will often have aggregate (and obviously anonymized, if they're working in good faith) stats about success rates and failure classes encountered from clients connecting to their nodes. Where I worked, we didn't publish this information. I'm not sure where Mullvad stands on this right now.
In any case -- some VPN providers deploying new technology like this will partner with the research community (because there's a small, but passionate formal research community in this space!) and publish papers, studies, and other digests of their findings. Keep an eye out for this sort of stuff. UMD's Breakerspace in the US in particular had some extremely clever people working on this stuff when I was involved in the industry.
Have you heard about Safing's "SPN"? Could you comment on that?
I came across this recently too and it piqued my interest as well.
The way they describe it makes it sort of sound like split tunneling and geotunneling can be done with DNS.
https://safing.io/spn/
If you are on a limited data plan, beware, DAITA produces a lot of traffic.