Traffic Engineering
DNS, IPv6, leak prevention, traffic analysis fundamentals — the engineering details that determine whether a tunnel actually does what you think it does.
Decoy routing and refraction networking
Telex, TapDance, Slitheen, and Conjure: how cooperative infrastructure on ordinary network paths changes the evasion game.
Hysteria and QUIC-based transports
Why QUIC became an evasive substrate, how Hysteria uses it, and what QUIC-based camouflage still leaks to modern detectors.
Operational anonymity for engineers
Compartmentation, browser discipline, transport choice, telemetry minimization, and how to turn anonymity theory into a survivable daily operating model.
Traffic shaping for camouflage
How burst scheduling, half-duplex shaping, and target-traffic mimicry try to make tunnels look like something else.
Active probing methodology
How detectors confirm suspicious endpoints with chosen inputs, from state-machine exploration to probe-resistant proxy design.
Asymmetric crypto: RSA and the discrete-log family
Public-key cryptography from first principles: what RSA actually does, why TLS 1.3 dropped RSA key exchange, and why X25519 is the engineering default in modern protocols.
Browser fingerprinting in depth
Canvas, WebGL, fonts, audio, viewport geometry, and why hiding your IP does not standardize your browser.
Deep packet inspection: pattern, statistical, and behavioral classification
How real traffic classifiers combine signatures, protocol parsing, flow statistics, and behavior after payload visibility disappears.
Digital signatures
Digital signatures from first principles: RSA-PSS, ECDSA's nonce trap, why Ed25519 is the modern default, and what verification actually proves.
Domain fronting: the rise, fall, and remnant
How domain fronting exploited cross-layer naming, why it changed the economics of blocking, and why the classic form largely receded after 2018.
Encrypted traffic classification with ML
How feature engineering, deep learning, dataset design, and concept drift shape machine-learning-based classification of encrypted traffic.
Hash functions and message authentication
Cryptographic hashes from first principles: SHA-2, SHA-3, BLAKE3, what they each guarantee, why HMAC exists, and the length-extension trap that motivates careful MAC design.
Key derivation: HKDF and friends
Why one secret becomes many keys: HKDF extract-then-expand, PBKDF2 vs Argon2id, salts, domain separation, and the failure mode of reusing keys across contexts.
Mix networks: Loopix and Nym
From Chaumian mixes to Loopix and Nym: delay, cover traffic, Sphinx packets, and the anonymity-latency-bandwidth tradeoff.
Network-level traffic analysis
NetFlow, multi-vantage correlation, BGP/routing attacks, and why where you observe traffic matters as much as what you observe.
The Noise protocol framework
Noise from first principles: handshake patterns, the state-machine triple (Cipher/Symmetric/Handshake), why WireGuard chose Noise IK, and how to read pattern notation.
OS and TCP/IP stack fingerprinting
How TCP SYN fields, TLS ClientHello structure, and HTTP/2 settings betray client identity even when the payload is encrypted.
Padding strategies and cover traffic
Constant-rate padding, adaptive padding, dummy traffic, and why hiding packet shape is harder than appending zeros.
Pluggable transports: the obfs lineage
obfs4, meek, Snowflake, and the history of transport-layer evasive design as adversaries moved from passive filtering to active probing.
Post-quantum cryptography in transit
Why TLS and QUIC are migrating to post-quantum key agreement now: ML-KEM, ML-DSA, hybrid X25519+ML-KEM, harvest-now-decrypt-later, and what 2026 deployment actually looks like.
Side channels in encrypted protocols
Compression oracles, TLS record lengths, QUIC behavior, and why encrypted protocols still leak through observable structure.
Steganographic channels
DNS, ICMP, HTTP, and media-based covert channels; storage versus timing channels; and why protocol normalization breaks many hiding schemes.
Stream ciphers and AEAD construction
Stream ciphers, ChaCha20, GCM, Poly1305: how authenticated encryption is actually built, why nonce reuse is catastrophic, and how to choose between AES-GCM and ChaCha20-Poly1305.
Symmetric encryption, block ciphers, and AES
AES from first principles: what a block cipher actually is, why ECB is the canonical embarrassment, modes of operation, and why AES alone is not an encryption scheme.
Threat models for network anonymity
Passive observers, active adversaries, global traffic correlation, and the vocabulary needed to reason about anonymity without hand-waving.
TLS fingerprinting in production
ClientHello structure, JA3 versus JA4, drift, ambiguity, and how production detectors really use TLS fingerprints.
TLS-in-TLS and Reality
TLS camouflage, secret-gated fallback, and why looking like HTTPS is harder than just using HTTPS.
Tor, onion routing, and circuit-level anonymity
Tor from the transport up: cells, telescoping circuits, guards, exits, directory authorities, and why Tor is not just a VPN with extra hops.
Traffic analysis fundamentals
How timing, size, and burst structure leak information from encrypted traffic, from end-to-end correlation to website fingerprinting.
Active probing defense for proxy and tunnel operators
How active probing works, why handshake secrets are not enough, and what obfs4, ScrambleSuit, and REALITY teach about blending into normal traffic.
Browser fingerprint hardening with Firefox, arkenfox, and uBlock Origin
How to reduce browser fingerprinting with sane Firefox settings, arkenfox, uBlock Origin, and Tor Browser when you actually need stronger cover.
DoH vs DoT: where each encrypted DNS transport leaks
DNS over HTTPS and DNS over TLS both encrypt queries, but they fail differently. This is the operator's comparison of where each one leaks.
Domain fronting in 2026: mostly dead, not actually gone
What classic domain fronting is, why big clouds shut it down, where it still appears, and why ECH or MASQUE are not the same thing.
IPv6 leak prevention for VPN users and operators
Why IPv6 leaks happen on dual-stack systems, when disabling IPv6 is only a workaround, and how to fix the problem properly.
JA3 and JA4 TLS fingerprints, explained
How JA3 and JA4 fingerprint the TLS ClientHello, what they're good for, and why they are correlation signals rather than identities.
Tor for technical users who keep asking for Tor over WireGuard
What Tor actually does, why Tor Browser discipline matters, when bridges help, and why stacking WireGuard on top usually solves the wrong problem.
WebRTC IP leaks: root cause and real fixes
Why WebRTC reveals IP information, what STUN and TURN have to do with it, and how to fix the leak without hand-waving.
Xray Reality vs WireGuard: when to use which
Two protocols, two threat models. WireGuard hides what's in the pipe. Reality hides that there's a pipe at all.
Network OPSEC checklist for engineers
DNS leaks, IPv6 leaks, mDNS, NetBIOS — the things that betray your real network identity before encryption matters.