This is a rather interesting framework, highlighted on Mullvad's blog and with pilot integration into their servers -- see [1] and [2] -- with a fairly detailed deep-dive at [3].
The basic idea is very simple: defeat traffic analysis essentially by chaffing and winnowing [4] data to force packet sizes to be constant, and transmit a small amount of 'cover' garbage when the pipe is otherwise empty. I've often wondered why this is not done -- constant bandwidth channels are widely used by the military, for example. Combined with multi-hop routing, I suspect this will make VPNs far more secure for all of their users.
The cost, of course, is an overhead in both bandwidth and latency -- in principle these need to be very much for it to be cryptographically secure, but the current implementation roughly doubles bandwidth consumption and introduces a second per connection, which is probably...in need of improvement, let's say.
The basic idea is very simple: defeat traffic analysis essentially by chaffing and winnowing [4] data to force packet sizes to be constant, and transmit a small amount of 'cover' garbage when the pipe is otherwise empty. I've often wondered why this is not done -- constant bandwidth channels are widely used by the military, for example. Combined with multi-hop routing, I suspect this will make VPNs far more secure for all of their users.
The cost, of course, is an overhead in both bandwidth and latency -- in principle these need to be very much for it to be cryptographically secure, but the current implementation roughly doubles bandwidth consumption and introduces a second per connection, which is probably...in need of improvement, let's say.
[1] https://mullvad.net/en/blog/introducing-defense-against-ai-g...
[2] https://mullvad.net/en/blog/evaluating-using-the-first-eight...
[3] https://pulls.name/blog/2024-06-05-eval-first-daita-servers/
[4] https://en.wikipedia.org/wiki/Chaffing_and_winnowing