Incorporate technology to fend off website fingerprinting

[innogen]

I was reading a blog on Tor's site entitled "Experimental Defense for Website Traffic Fingerprinting" (URL is https://blog.torproject.org/blog/ ) when a portion of the blog caught my eye. It reads as follows:

"Website fingerprinting is the act of recognizing web traffic through surveillance despite the use of encryption or anonymizing software."

"This information can be used to recognize your web traffic despite attempts at encryption or tunneling."

"Early work was quick to determine that simple packet-based encryption schemes (such as wireless and/or VPN encryption) were insufficient to prevent recognition of traffic patterns created by popular websites in the encrypted stream. Later, a small-scale study determined that a lot of information could be extracted from HTTPS streams using these same approaches against specific websites."

My question is: Is OpenVPN able to fend off website traffic fingerprinting? If the answer is "No", do the developers of OpenVPN plan to incorporate technologies to ward off such fingerprinting?

[dazo]

No, there are no such plans for OpenVPN. However, if someone in the community has time and knowledge to implement this, submitting patches to the openvpn-devel mailing list is always appreciated - then it will at least be considered.

One reason why this is not on the plan or interesting, is that VPN is mostly used to access internal networks. So when you spot encrypted traffic between two hosts, which lasts for a long(er) time - it might indicate being a VPN connection. And the content of that connection is in most cases traffic to/from an internal network. VPN and OpenVPN is not trying to provide anonymity solutions. For that, you have TOR and similar projects.