Changes

Richard Pospesel · a63a942e
--- a/Design-Documents/Tor-Browser-Design-Doc.md
+++ b/Design-Documents/Tor-Browser-Design-Doc.md
@@ -247,11 +247,11 @@ The browser's adversaries have a number of possible goals, capabilities, and att

 Adversaries may position themselves at a number of possible locations in order to execute their attacks.

-1. **Malicious 1st party websites**
+1. **1st party websites**

    Adversaries may run websites, either on the clearnet (requiring access via an Exit relay) or as an Onion Service within the Tor Network.

-2. **Malicious 3rd party services**
+2. **3rd party services**

    Adversaries may host and serve content intended to be embedded in other 1st party websites, either on the clearnet or as an Onion Service within the Tor Network.
    This content includes things such as scripts, images, video, fonts, etc which may downloaded and run by the browser.
@@ -291,9 +291,69 @@ Adversaries may position themselves at a number of possible locations in order t

 ### 3.3 Adversary Attacks

-The adversary can perform the following attacks from a number of different positions to accomplish various aspects of their goals.
-It should be noted that many of these attacks (especially those involving IP address leakage) are often performed by accident by websites that simply have JavaScript, dynamic CSS elements, and plugins.
-Others are performed by ad servers seeking to correlate users' activity across different IP addresses, and still others are performed by malicious agents on the Tor network and at national firewalls.
+The adversary can perform the following attacks from a number of possible positions or combinations of positions to accomplish various aspects of their goals.
+
+1. **Read and write identifiers**
+
+    - **Positioning**
+        - 1st party websites
+        - 3rd party services
+        - Exit relays or upstream routers
+
+    The browser contains multiple facilities for storing identifiers that the adversary creates for the purposes of tracking users.
+    These identifiers are most obviously cookies, but also include HTTP auth, DOM storage, cached scripts and other elements with embedded identifiers, client certificates, and even TLS Session IDs.
+
+    An adversary in a position to perform machine-in-the-middle content alteration can inject document content elements to both read and inject cookies for arbitrary domains. Such an adversary may also steal or alter document content.
+
+2. **Fingerprint browser properties**
+
+    - **Positioning**
+        - 1st party websites
+        - 3rd party services
+        - Exit relays or upstream routers
+
+    By default, modern web browsers expose quite a large number of stable properties about the user's operating system, physical hardware, customisations, and personal information.
+
+    In isolation, most of these properties are not sufficient to uniquely identify and thus track a user across domains or deanonymise them.
+    However, such properties can be bucketed and combined to generate a stable identifier which can be used to track users across colluding 1st and 3rd party domains.
+
+    Some examples of fingerprintable features available to adversaries in modern browsers (not an exhaustive list):
+
+    - Operating system version
+    - System fonts
+    - Device CPU
+    - Screen size
+    - Installed web-extensions
+    - Accessibility customisations
+    - User's timezone
+    - User's preferred locale
+
+    Despite the apparent diversity of properties available to adversaries, each one individually is ultimately derived through one of these attack vectors:
+
+    - **Observing request behaviour**
+
+        Properties of the user's request behavior comprise the bulk of low-hanging fingerprinting targets.
+        These include: User agent, Accept-* headers, pipeline usage, and request ordering.
+        Additionally, the use of custom filters such as ad-blockers and other privacy filters can be used to fingerprint request patterns.
+
+    - **JavaScript**
+
+        JavaScript can reveal a lot of fingerprinting information.
+        It provides DOM objects such as `window.screen` and `window.navigator` to extract information about the user agent.
+        Also, JavaScript can be used to query the user's timezone via the `Date()` object, [WebGL](https://www.khronos.org/registry/webgl/specs/1.0/#5.13) can reveal information about the video card in use, and high precision timing information can be used to [fingerprint the CPU and interpreter speed](https://cseweb.ucsd.edu/~hovav/dist/jspriv.pdf).
+        JavaScript features such as [Resource Timing](https://www.w3.org/TR/resource-timing/) may leak an unknown amount of network timing related information.
+        And, moreover, JavaScript is able to [extract](https://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf) [available](https://www.cosic.esat.kuleuven.be/fpdetective/) [fonts](https://hal.inria.fr/hal-01285470v2/document) on a device with high precision.
+
+    - **CSS media queries**
+
+        [CSS media queries](https://developer.mozilla.org/En/CSS/Media_queries) can be inserted to gather information about the desktop size, widget size, display type, DPI, user agent type, and other information that was formerly available only to JavaScript.
+
+3. **Fingerprint network traffic**
+
+
+4. **Exploit the browser or operating system**
+
+#### Old

 1. **Read and insert identifiers**

@@ -355,6 +415,7 @@ Others are performed by ad servers seeking to correlate users' activity across d

 3. **Website traffic fingerprinting**

+
    Website traffic fingerprinting is an attempt by the adversary to recognize the encrypted traffic patterns of specific websites.
    In the case of Tor, this attack would take place between the user and the Guard node, or at the Guard node itself.