Website Fingerprinting attacks allow an adversary to predict the websites visited by a victim via an encrypted tunnel (e.g., Tor).

ALPaCA is an application-layer server-side Website Fingerprinting defence. This means it runs as a webserver module (e.g., Apache or Nginx), and it operates by inserting padding to the content of the served web pages (e.g., pictures, HTML or CSS files) to prevent fingerprinting.

It was proposed in (Cherubin et al., 2017), together with LLaMA, a client-side defence.

We are currently developing ALPaCA as an open source library, libalpaca, which in the future will be used by the respective Apache or Nginx module for deployment on websites or .onion sites.


  1. Website Fingerprinting Defenses at the Application Layer Cherubin, Giovanni, Hayes, Jamie, and Juarez, Marc Proceedings on Privacy Enhancing Technologies 2017 [Abs] [Paper] [Code]