MultiFlow's tunnel operates as a virtual message board: the client and decoy router never exchange covert data within the same TCP connection. The decoy router uploads responses to a URI or email address specified by the client; the client downloads independently on a separate connection. This design eliminates the forged-packet and rewritten-traffic vectors that make TapDance and Rebound vulnerable to traffic analysis and decoy-host probing.

MultiFlow mitigates TLS termination attacks—where an adversary drops a connection after one data exchange—by having the client exfiltrate TLS session resumption information (219 bytes: 208-byte psk identity plus ticket metadata) to the decoy router. The decoy router can then resume a session with a different decoy host, establishing a new covert channel even if the original connection is severed, and amortizing per-session setup cost across multiple connections.

§3.3 defense

If an adversary replays captured client handshake traffic to a decoy host under adversary control, and the decoy router attempts to resume the client's session on that host, the adversary can infer that a decoy router is present on the path to the original decoy host. The paper identifies this as a residual probing vulnerability when the client does not encrypt the destination server to which resumption should be directed.

§3.1 detection

MultiFlow's stencil-coding capacity is constrained by TLS record sizes: hiding 1 byte per 16-byte block requires a 1568-byte TLS record to exfiltrate 98 bytes of key material. The paper notes that many websites' initial GET requests produce TLS 1.3 application records under 100 bytes, meaning MultiFlow would need to span multiple records or adopt the more efficient chosen-ciphertext steganography used by TapDance. No implementation exists at time of publication; session resumption from a different source IP was verified feasible using OpenSSL 1.1.1-pre2 and Scapy.

§3.1, §3.4 evaluation

MultiFlow enables a tap-based decoy router to authenticate clients without inline traffic blocking by having the decoy router resume the client's TLS 1.3 session with the decoy host. The client embeds 112-byte sentinel values in the ClientRandom and key-share fields; the decoy router uses the exfiltrated 219-byte NewSessionTicket to perform the resumption. If the decoy host accepts the resumed session rather than falling back to a full handshake, the client is confirmed live.

§3.1 defense

Re-testing in 2025 on a Pixel 10 Pro XL running Android 16 with October 2025 security updates confirmed that blind in/on-path VPN inference attacks remain fully viable despite CVE-2019-9461, CVE-2019-14899, and CVE-2024-49734 having been formally closed. All three core attack primitives—VPN-assigned internal IP discovery, active connection inference, and TCP reset injection via sequence/acknowledgment window scanning—succeeded across OpenVPN, WireGuard, and NordLynx.

2026-tolley-architectural §5.1–5.3 traffic-shaperst-injectionactive-probing

Six widely deployed VPN and circumvention tools—OpenVPN, WireGuard/NordLynx, NordWhisper, Orbot (Tor on Android), Lantern, and Psiphon—all failed to block internal IP inference, connection-state detection, and TCP reset injection under identical adversarial conditions on fully patched Android 16. Application-layer obfuscation in Lantern and Psiphon did not prevent TCP-layer disruption; Orbot's VPN-style encapsulation of Tor traffic was bypassed via the same tunnel-level side channels.

2026-tolley-architectural §5.2, §5.4–5.5 traffic-shaperst-injectionactive-probing

The paper proposes an Internet Freedom vulnerability registry with five design principles: persistent cross-vendor tracking under shared identifiers (e.g., IF-ARCH-2025-001) as long as a risk remains reproducible; human-centered impact ratings anchored to harm potential for journalists and dissidents rather than CVSS-style exploitability scores; timestamped re-verification hooks with linked PCAPs and minimal reproduction scripts; a structured media interface to counter vendor narrative capture; and open public APIs for integration into risk dashboards so that users of tools like Orbot or Lantern can directly query their configuration's exposure to known metadata-based attacks.

2026-tolley-architectural §6.1–6.5 traffic-shaperst-injectionactive-probing

Internal Geedge documents confirm active contracts to deploy GFW-derived censorship and surveillance infrastructure in Myanmar, Pakistan, Ethiopia, Kazakhstan, and at least one additional unidentified country under the Belt and Road framework, in addition to domestic deployments in Xinjiang, Jiangsu, and Fujian. The exported product (the Tiangou Secure Gateway / TSG line) is not a stripped-down export variant — leaked TSG documentation shows DPI, active-probing, ML classifiers, and granular per-region traffic control rules that mirror the domestic GFW capability set.

2025-geedge-mesa-leak §5, §6 dpiactive-probingml-classifiersni-blockingdns-poisoningfully-encrypted-detecttraffic-shape

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) dpiactive-probingml-classifiersni-blockingip-blockingtraffic-shapefully-encrypted-detect

Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.

2025-jfm-silk-road-surveillance §3, §5 dpisni-blockingip-blockingtraffic-shapeml-classifieractive-probing