Skip to content

Define a Threat Model

As a reference, Tor Browser's design document describes which threats/attacks are considered in-scope. A VPN (or VPN-like service) has different strengths and weaknesses, therefore we must define those and evaluate reasonable expectations.

Some initial questions:

  • When are the VPN's protections applicable?
  • What are reasonable expectaions when the service is disabled?
  • What are reasonable expectations when the service is enabled?
  • Which use cases can we reasonably support? (e.g., under which circumstances can we fail-closed: device is rebooted or app crashes?)
  • What properties does an application's connection gain/have when routed through this service?