@@ -256,34 +256,43 @@ The browser's adversaries have a number of possible goals, capabilities, and att
...
@@ -256,34 +256,43 @@ The browser's adversaries have a number of possible goals, capabilities, and att
### 3.2 Adversary Capabilities: Positioning
### 3.2 Adversary Capabilities: Positioning
The adversary can position themselves at a number of different locations in order to execute their attacks.
Adversaries may position themselves at a number of different locations in order to execute their attacks.
1.**Malicious 1st party websites**
1.**Malicious 1st party websites**
Adversaries may run websites, either on the clearnet (requiring access via an Exit relay) or as an Onion Service within the Tor Network.
2.**Malicious 3rd party services**
2.**Malicious 3rd party services**
Adversaries may host and serve content intended to be embedded in other 1st party websites, either on the clearnet or as an Onion Service within the Tor Network.
This content includes things such as scripts, images, video, fonts, etc which may downloaded and run by the browser.
3.**Exit relays or upstream routers**
3.**Exit relays or upstream routers**
The adversary can run exit nodes, or alternatively, they may control routers upstream of exit nodes.
Adversaries may run Tor exit relays or they may control routers upstream of exit relays.
Both of these scenarios have been observed in the wild.
They may observe and modify the contents and destination of traffic exiting from and returning to the Tor Network.
4.**Middle relays or upstream routers**
4.**Middle relays**
Adversaries run Tor middle relays or they may control routers upstream of middle relays.
They may observe metadata around the connections to their peers.
5.**Guard relays**
5.**Guard relays**
Adversaries may run Tor guard nodes or they may control routers upstream of guard nodes.
They may observe metadata around the connections to the user and their circuit's middle relays.
They also know the user's public IP address.
6.**Local network, ISP, or upstream routers**
6.**Local network, ISP, or upstream routers**
The adversary can also inject malicious content at the user's upstream router when they have Tor disabled, in an attempt to correlate their Tor and Non-Tor activity.
Adversaries may also inject malicious content at the user's upstream router when they have Tor disabled, in an attempt to correlate their Tor and non-Tor activity.
Additionally, at this position the adversary can block Tor, or attempt to recognize the traffic patterns of specific web pages at the entrance to the Tor network.
Additionally, at this position the adversary may block Tor, or attempt to recognize the traffic patterns of specific web pages at the entrance to the Tor network.
7.**Physical access**
7.**Physical access**
Some users face adversaries with intermittent or constant physical access.
Adversaries may have intermittent or constant physical access to users' computers.
Users in Internet cafes, for example, face such a threat.
They may also be able to compel users to surrender their encryption keys.
In addition, in countries where simply using tools like Tor is illegal, users may face confiscation of their computer equipment for excessive Tor usage or just general suspicion.
