Filtering candidate decoy sites by a minimum 15 KB TCP window eliminated 24% of the initial ~5,500 HTTPS hosts; a 30-second HTTP-timeout floor eliminated a further 11%; and AES-128-GCM cipher-suite support requirements eliminated an average of 32%—together reducing the viable decoy-site pool by approximately 55% before any live reachability tests.

Without per-site connection limits, popular decoy hosts risk resource exhaustion (Apache's default cap is 150 simultaneous connections); enforcing an initial limit of 30 concurrent clients per site—coordinated across stations via a central collector—kept the median site load at ~5 simultaneous clients, with the 99th-percentile site peaking at 37 after the limit was raised to 45.

§3.5, §4.3, Figure 9 deployment

The one-week trial served over 50,000 unique users (peak daily count: 57,000) with up to 4,000 concurrent sessions simultaneously, demonstrating that a four-station refraction deployment co-located at two mid-sized network operators can support tens of thousands of real censored users.

§4.2, Figures 4, 7 evaluation

The trial explicitly obtained no evidence about TapDance's resistance to adversarial censor countermeasures: its scale and duration were judged small enough that censors likely did not observe it, leaving theoretical censorship-resistance claims unvalidated against active blocking responses.

§2, §6 evaluation

TapDance was deployed on four ISP uplinks (two 40 Gbps, two 10 Gbps) using commodity 1U servers running a Rust/PF_RING zero-copy implementation; CPU load remained below 25% while handling a peak of ~14,000 new TLS connections per second across 34 cores, with cumulative mirrored traffic peaking at 55 Gbps across all stations.

§3.1, §4.1, Figure 1 deployment

Russia's Ministry of Digital Development issued guidelines effective April 15, 2026 requiring popular apps to detect and restrict access from VPN-using devices. RKS Global's analysis of 30 popular Russian Android apps found that 22 of 30 implement VPN detection, and 19 of those transmit the detected VPN status to their servers. This represents a shift from network-layer blocking (TSPU) to app-layer enforcement as an additional censorship vector.

2026-rks-russian-apps-vpn-detection §3, §4 tls-fingerprintml-classifier

The RKS Global report documents a two-tier Russian censorship architecture: TSPU network-layer blocking (documented by Xue et al. 2024) at the ISP level, now supplemented by mandated app-layer VPN detection in the 30 most popular Russian Android apps. This layered approach means a circumvention tool that successfully bypasses TSPU at the network layer can still be detected and reported by the app layer, closing the gap that network-only circumvention leaves open.

2026-rks-russian-apps-vpn-detection §2, §7 tls-fingerprintml-classifiermiddlebox-interference

In 24-hour live proxy deployments, covertDTLS mimicry had a 18.2% DTLS handshake failure rate (vs 12.5% baseline, 27.0% randomization, 25.8% Chrome webextension). Randomization generates ≈994 billion unique fingerprint permutations (cipher shuffling: 109,600; extension shuffling: 994,218,624,000), making blocklist-based fingerprinting infeasible, but at the cost of higher connection failures due to cipher mismatches. Mimicry of DTLS 1.2 was stable and effective; DTLS 1.3 mimicry is not yet achievable with the current Pion library.

2025-midtlien-fingerprint-resistant §4.2, Table 1, §5 tls-fingerprint

The DTLS ClientHello extensions field is the most prominent feature for fingerprinting Snowflake's Pion WebRTC stack. A passive DPI tool (dfind) validated against the MacMillan et al. dataset of 6,500 DTLS handshakes reliably identifies Pion-based implementations via unique extension byte patterns. Chrome randomized its extension list order starting with version 129.0.6668.58 (September 2024), yielding 6! = 720 unique permutations and hardening it against deterministic matching. Firefox adopted DTLS 1.3 by default from version 127 (May 2024), which changes the extension structure entirely and renders DTLS 1.2 mimicry obsolete for Firefox traffic.

2025-midtlien-fingerprint-resistant §3, §4.1 tls-fingerprintdpi

Firefox adopted DTLS 1.3 by default for WebRTC in May 2024 (version 127); Chrome has implemented DTLS 1.3 in BoringSSL but not yet enabled it by default. DTLS 1.3's Encrypted Client Hello (ECH) extension would encrypt extension lists and make passive field-based fingerprinting of those extensions obsolete — but censors may choose to block DTLS 1.3 ECH unless browsers adopt it widely enough that blocking causes unacceptable collateral damage. The Pion library (used by Snowflake standalone proxies) has no concrete roadmap for DTLS 1.3 support, creating a growing gap.

2025-midtlien-fingerprint-resistant §4.1, §5, §7 tls-fingerprintesni-eh-blocking

Beyond business-filing cross-references, the paper introduces a method of linking VPN provider families by showing they share VPN server cryptographic credentials (Shadowsocks passwords, server TLS fingerprints) across distinct app identities. This extends prior ownership-attribution methods that relied solely on corporate registry data and code similarity, adding shared live infrastructure as a linkage signal that is harder for operators to obscure.

2025-mixon-baca-hidden §3 (Methodology), §4 tls-fingerprintdpi