Skip to main content

DAITA version 2 now available on all platforms

Privacy 

We are now releasing version 2 of our Defense Against AI-guided Traffic Analysis (DAITA).

DAITA version 2 brings two major improvements: a large reduction in traffic overhead and dynamic configurations that vary VPN tunnel characteristics between connections, making it harder for attackers targeting DAITA.

Traffic overhead reduction

DAITA uses two types of cover traffic that add significant overhead to the connection. The first one is constant packet sizes, where DAITA is padding all packets to the same size to erase patterns that would otherwise exist. The second one is the addition of dummy packets to distort network patterns further. This second defense has now been more finely tuned in DAITA version 2. By more carefully inserting these dummy packets, we use about half the amount of these packets while still maintaining the same level of defense. As a customer using DAITA, the immediate benefit is improved speed.

Dynamic configurations

With DAITA version 1, all VPN connections use the same set of rules governing the insertion of dummy packets from VPN clients. This makes it easier for an attacker with sufficient resources and determination to create tailored attacks for circumventing DAITA.

When a user activates DAITA version 2, Mullvad's servers randomly select and assign a dynamic configuration to the VPN connection. This configuration affects how both the client and the VPN server insert dummy packets. Two clients visiting the same webpage will now produce different in-tunnel data streams, which carry through to the tunnel transport layer, resulting in VPN tunnels with unpredictable characteristics despite transporting the same data. Additionally, whenever a device recreates its VPN connection, a new configuration is selected from the thousands of possible configurations.

Read more in this post by Tobias Pulls at Karlstad university: https://pulls.name/blog/2025-03-27-daita-v1-and-v2-defenses/

What's next?

DAITA version 3 is already on the roadmap and will introduce a new type of defense alongside the existing ones. Watch this space for more updates as we advance the state of accessible and performant network traffic defense.