Say my ISP , my router or my network is really mean , and won t let me use weird ports. But they want me to keep buying crap on Amazon with https , so they let me use 443.
Would it be possible to have my vault , safe browser or app, use 443 or another almost-always-open port ?
Does it even make sense at all , as my packets will really look weird and reveal me as suspicious traffic ?
hmhmmm - weird yes - but https should look like gibberish too i assume (…?) - i would expect a https-like-traffic-behaviour should be possible to emulate and hard to identify as safenet-traffic (as long as you don’t cut off all traffic except to dns servers and “legitimate servers of the official internet”)
but that’s just a random thought by someone not competent in the field of network protocols …
“Look”? Are you saying that your corporate firewall does deep packet inspection?
The only weirdness would be not detecting a cryptographic handshake before establishing the connection because all traffic is encrypted before even leaving your computer.
As you said, when the connection is established, I was suspecting that something would happen differently , but not sure how differently. You answered that part.
Then I thought that the shape of the traffic would be very different of the average person browsing the web : I would expect a vault to produce a very constant and almost full bandwidth over time, in both ways. I suppose it would look much like someone torrenting, maybe, which would not need dpi to be spotted.
This would be more than enough to ring the bells in many countries with restricting laws on digital communications and privacy, such as several European countries since a couple years, where governments are allowed by law to install sniffing machines and / or software at the ISP level, without any warrant.
I had the same type of concerns, and I made several posts asking about that.
And, yes, as you said, even without DPI, a statistical analysis of the traffic could detect an anomaly.
But simulating another type of traffic obfuscating it shouldn’t be much of a problem.
Let’s see first if the network can walk before running.