CDNReaper's Scrambler defeats domain-based and Wang et al. k-NN fingerprinting by injecting decoy requests uniformly distributed across ndom popular domains and dropping ~24% of advertisement/analytics requests (which constitute on average 24% of top-1000 Alexa page requests); even at low traffic overheads, fingerprinting accuracy drops significantly from the 0.991/0.94 baseline, with dropping traffic providing more benefit at lower overhead budgets.

CDNBrowsing of full-CDN content imposes near-zero operational cost on circumvention operators because all bandwidth is paid by the censored content publisher via their CDN contract; dynamic mirrors for partial-CDN sites impose negligible additional load compared to proxy-based systems — measured traffic relayed by CDNReaper dynamic mirrors versus the meek pluggable transport for sample sites was nearly negligible, while meek has cost Tor $26,536 total ($2,479/month at the time of measurement) despite a 1.5–3 MB/s per-user bandwidth cap and a discounted research grant rate.

§2.5, §5.2.2 evaluation

A survey of the top 10,000 Alexa websites found that only 6% (Class 1) are fully hosted on shared CDNs with HTTPS deployments that allow removal of destination leakage — the only class browsable with plausible unobservability against a competent DPI-equipped censor — while 64% are partial-CDN sites (Class 4) whose CDN-hosted content (images, videos) can still be reached via content wrappers or dynamic mirrors at negligible operational overhead.

§5.1 evaluation

A domain-based website fingerprinting attack against CDNBrowsing traffic — using the per-domain packet volume exchanged during a browsing session as a decision-tree feature vector — achieves 0.991 ± 0.002 accuracy against CacheBrowser on 100 China/Iran-blocked HTTPS pages, modestly outperforming the state-of-the-art k-NN classifier of Wang et al. (0.94 ± 0.002) while being two orders of magnitude faster: 0.60 CPU-seconds training and 10 µs classification versus 90 CPU-seconds and 0.05 CPU-seconds on an Intel Xeon 3.5 GHz processor.

§3.2 detection

Real-world CDN HTTPS deployments leak the identity of visited websites through three distinct channels — TLS certificate contents (A2, B1, B2 deployments), the plaintext SNI field (B1), and dedicated IP address mappings (B2) — enabling censors to block CDNBrowsing connections via standard DPI or IP filtering without collateral damage to non-forbidden CDN content. Each leakage channel requires inspecting only a single packet from an HTTPS connection, making the attack low-cost and deployable on off-the-shelf censorship boxes.

§3.1 detection

Without chunk-based padding, an XGBoost classifier identifies the target website from covert data-chunk sizes with 91% accuracy (Tranco top-100). Chunking at 2 MB reduces accuracy to 12% at a 21.3% bandwidth overhead, while 16 MB chunks reduce accuracy to near random guessing at a 480.3% overhead. Chunks as small as 64 KB already reduce accuracy to 64%, demonstrating a monotonic fingerprinting–overhead tradeoff.

2026-kamali-huma §V-C, Figure 4 website-fingerprintml-classifier

Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.

2025-pereira-extended §1 traffic-shapewebsite-fingerprintml-classifierdpifully-encrypted-detect

The framework's GAN-based schedule generator trains on short session windows (e.g., the first 10 seconds) of real browsing traffic from the Tranco Top 1000 sites, learning joint distributions of packet sizes, inter-arrival times, and burst patterns to produce realistic synthetic schedules. This repurposes GAN architectures previously used for traffic analysis (e.g., GANDaLF) as a defense-side cover-traffic generator.

2025-pereira-extended §2.2 traffic-shapewebsite-fingerprintml-classifier

The authors propose a 'shim' pluggable transport that splits client traffic across N PT connections using unmodified existing PT bridges as proxies and a gateway bridge that correlates streams back into a Tor circuit via the Turbo Tunnel reliability pattern. This architecture enables all existing and future PTs to benefit from traffic splitting without modifying each PT's client or server code individually.

2024-lorimer-extended §3 website-fingerprintml-classifierip-blocking

When a user splits traffic across N paths, a censor observing a single path sees only a partial trace, substantially reducing the accuracy of classifiers trained on complete network traces. Prior Tor traffic-splitting work (TrafficSliver, CoMPS, multipath Tor studies) has validated this defense against website fingerprinting outside the PT context.

2024-lorimer-extended §1, §4.2 website-fingerprintml-classifiertraffic-shape

DeTorOS enables provable geographic avoidance for Tor onion services by running a TEE-backed Bento function as a trusted middlebox: both the client and the onion service upload their respective 3-hop circuit halves to this enclave, which computes the never-once or never-twice avoidance proof without revealing either party's circuit to the other.

2023-arora-detor-onion §3 flow-correlationwebsite-fingerprint