Strategic Adversary Models

Use cases

  • Journalistic (upload leaked documents): Goal:
    • Upload documents/blogpost, identity not exposed Properties:
    • Hide identity
    • (Possibly) hide location
    • Adversary: Entity that doesn't want documents leaked (usually intelligence agency?)
  • 'Generic user' who knows the internet has hostile but has no idea about a specific adversary. Goal: ? Properties: ?
  • Users who wish to hide their location specifically
  • Users who wish to circumvent censorship
  • Users who wish to circumvent censorship and maintain anonimity (in location and/or identity)

Generic properties:

  • Clueful/trained or not
  • Know their adversary or not
  • Want to protect identity
  • Want to protect location
  • Want to circument censorship


  • Intelligency agencies Properties:
    • Well funded
    • Might care about reputation
    • Are interested in 'evidence'
  • Commercial operations (for smaller, less well funded states), e.g. Defense contractors Properties: ?
  • "Internet troll" Properties:
    • Not usually covert
    • Typically attacks could be denial of service (targetted or not targetted "just to mess things up"), and deanonimising users (not targetted, typically?)
  • (Irresponsible) researchers Properties:
    • Might mean no harm, but could actually deanonimise real users
    • Usually short term attack ?
  • Commercial advertisers/sites Properties:
    • Wish to deanonimise/track users
  • Botnet (commercial?) Properties: ?


? Connecting only to hidden services



  • Covert/Hidden attack (or not)
  • Sustainable attack (or not)
  • Costs of approval
  • Reputation costs (if leaked/found out)
  • Time/Bandwidth/Hardware ('tradional costs')


  • Compromise hidden service and then attack browser (js, play sound and pick it up, etc) Properties: - Usually detected after a while
  • Tagging/padding attacks Properties: - Easy to detect when (it was) active
  • Fingerprint attacks. Properties: - Hard to detect
  • Compromising several devices (e.g. browser, play sound, compromised phone picks it up)
  • ...


  • Deanonmise user
  • Identity theft
  • Blocking access (censorship)
  • Denial of service
  • Rubberhose attacks

To categorise:

  • ISP(s) - privacy wrt ISP
  • Privacy wrt destination
  • (exit) relay operators sniffing outgoing traffic.
    • Application layer not encrypted (can make it worse for users to people use Tor, due traffic going everywhere) -- "Unencrypted website" (users might not understand this, we don't want to limit their access to websites, but we do want to protect them)
  • (Random parties) sniffing exit traffic -- threat to 'ordinary' users.
Last modified 2 years ago Last modified on Mar 28, 2017, 8:24:19 PM