The questions and statements that were raised in the threat modeling session can be found below.

  • What counts as broken security for what users?
  • What program/network states impact what threat model?
  • What are valid attacks?
  • What is in scope for an adversary model, what is out of scope?
  • What is the current threat model for each component? Are they the same? How are they different?
  • Is a security proof impossible?
  • Is tor secure against the currently specified adversary?
  • Do we need to evaluate Tor against (more refined / less powerful) adversaries
  • What practices are important and how important are they?
  • Can we create a threat model "comparison grid" that puts different types of users on one axis and different types of adversaries on another axis and the security and usage of different Tor based mitigation's where they intersect.
  • We need realistic user & adversary models to model against... but these are hard to build accurately.
  • "If you are (not) [doing/using] Tor [configuration/setting] [X] then your adversary will know [Y], and there will be [Z] repercussions on [your experience/the Tor network]
  • What are the upsides and downsides to a user activity.
  • We need to educate users correctly. Users don't know the adversary that they care about.
  • Bad, or improperly worded guidance can have repercussions on a users experience or the Tor network. (e.g. bridges seem like a thing that all users would want to implement when only provided the security - upside/downsides of them except that they have speed repercussions for the user and a massive uptick of usage would have repercussions for the Tor network.)
Last modified 2 years ago Last modified on Sep 30, 2015, 10:02:14 AM