ABOUT

About Dodge

A research project, an open toolkit, and an honest disclaimer.

The research

Dodge has its origins in "Dodge: A Client-Side Framework for Application-Layer Video Fingerprinting Defenses", presented at PoPETS 2026. The paper introduces a client-side framework (fork of dash.js) for designing application-layer video fingerprinting defenses and describes a proof-of-concept defense used to test the system.

The name is a play on words. Dodge is implemented as a dash.js module, and the most prominent streaming standard today — and the one we target — is DASH. So, to play videos undefended is to "dash"; to thwart video fingerprinting is to "dodge".

Read the paper: PoPETS 2026 (open access PDF).

The Dodge toolkit

Right now, we provide three tools to support defense development and usage:

  • The dash.js module for content providers and developers who want to ship defenses with their own catalogs.
  • The browser extension for viewers who want to apply defenses to undefended player sites without waiting for them to integrate. And to verify, to the extent possible, that Dodge has been configured correctly.
  • The defense generator for designers and researchers building new defenses.

Everything is held together by the extended manifest format: a small JSON document that describes a defense plan for a given video. Extended manifests are read and used by the dash.js module to enact defenses.

What we know — and don't

Traffic analysis defense, especially for video, is a young research area. The attacker model is still being mapped out, classifiers are still being improved, and a defense that works against one attacker may not generalize to another. We are honest about this in both the paper and on this site: Dodge is not a guarantee of anonymity.

What Dodge is is a careful framework, designed to be safe-by-default, for changing the shape of video traffic. With a thoughtful defense, your traffic becomes much harder to identify than without one. With a careless or buggy defense, you can leak just as much as you would have without it. The framework is engineered to fail closed (stall rather than play undefended) when something goes wrong, but no engineering is perfect.

If you're a content provider thinking about deployment, keep in mind that there are a number of things you need consider carefully. Please reach out before going live. We'd rather help you ship something safe than read about a leak after the fact.

Discussion and contact

We refer to the dash.js Google Group for community discussion of things related to the dash.js module and its development in particular. Other ways to get involved →