== Strategic Adversary Models ==
Use cases
-
Journalistic (upload leaked documents): Goal:
- Upload documents/blogpost, identity not exposed Properties:
- Hide identity
- (Possibly) hide location
- Adversary: Entity that doesn't want documents leaked (usually intelligence agency?)
-
'Generic user' who knows the internet has hostile but has no idea about a specific adversary. Goal: ? Properties: ?
-
Users who wish to hide their location specifically
-
Users who wish to circumvent censorship
-
Users who wish to circumvent censorship and maintain anonimity (in location and/or identity)
Generic properties:
- Clueful/trained or not
- Know their adversary or not
- Want to protect identity
- Want to protect location
- Want to circument censorship
Adversaries
-
Intelligency agencies Properties:
- Well funded
- Might care about reputation
- Are interested in 'evidence'
-
Commercial operations (for smaller, less well funded states), e.g. Defense contractors Properties: ?
-
"Internet troll" Properties:
- Not usually covert
- Typically attacks could be denial of service (targetted or not targetted "just to mess things up"), and deanonimising users (not targetted, typically?)
-
(Irresponsible) researchers Properties:
- Might mean no harm, but could actually deanonimise real users
- Usually short term attack ?
-
Commercial advertisers/sites Properties:
- Wish to deanonimise/track users
-
Botnet (commercial?) Properties: ?
Users
? Connecting only to hidden services
Attacks
Properties/Costs
- Covert/Hidden attack (or not)
- Sustainable attack (or not)
- Costs of approval
- Reputation costs (if leaked/found out)
- Time/Bandwidth/Hardware ('tradional costs')
Methods
-
Compromise hidden service and then attack browser (js, play sound and pick it up, etc) Properties: - Usually detected after a while
-
Tagging/padding attacks Properties: - Easy to detect when (it was) active
-
Fingerprint attacks. Properties: - Hard to detect
-
Compromising several devices (e.g. browser, play sound, compromised phone picks it up)
-
...
Types
- Deanonmise user
- Identity theft
- Blocking access (censorship)
- Denial of service
- Rubberhose attacks
To categorise:
- ISP(s) - privacy wrt ISP
- Privacy wrt destination
- (exit) relay operators sniffing outgoing traffic.
- Application layer not encrypted (can make it worse for users to people use Tor, due traffic going everywhere) -- "Unencrypted website" (users might not understand this, we don't want to limit their access to websites, but we do want to protect them)
- (Random parties) sniffing exit traffic -- threat to 'ordinary' users.