Merge Prop#344 to top-level Tor Spec; Officially update Tor Threat Model
@ahf suggested (and I agree) that we promote Prop#344 to spec top-level.
With the changes in #277 (closed) (MR: !355 (merged)), Prop#344 now categorizes the info leak vectors into three conceptual categories:
- Internal Covert Channels
- Behavioral Manipulation
- Augmented Observation
It now also proposes that these three categories be explicitly added to Tor's threat model. Previously, they were either explicitly excluded, or ambiguous.
This ticket will serve as source of comments + checklist of what we need to do to make this all happen. This description will be updated. I will start Cc'ing the usual suspects after the MR lands.
We may want to make this official at the end of Project 112 (this November, I think?), and probably do a blog post, etc about the threat model update, plus the fixes from P112.
Here's a checklist of updates I will do (will edit):
-
Link-in Trapper Attack Spec Ticket (#320) -
Link-In Circuit Dirty Timeout Spec Ticket (#321) -
Comb through and maybe link study on onion svc takedowns: https://petsymposium.org/popets/2024/popets-2024-0117.pdf -
Add conflux guard info leak example to netflow section; also explain problems in original conflux rule of prop#354 in behavior manipulation section: !369 (comment 3192088) -
Link to https://blog.torproject.org/tor-is-still-safe/ wrt the ricochet case -
Consider how the new threat model categories map to bug bounty program payouts -
Mention BGP hijack as an augmented observation vector of low severity (due to detectability risk) -
Go through comments on this ticket to make sure everything is covered (esp like GK's idea of direct links to ease browsing). -
Pull's padding machine research: https://dart.cse.kau.se/tmp/eph-def-june-25.pdf -
https://gitlab.torproject.org/tpo/core/tor/-/issues/41092#note_3209817 -
Maybe compare/contrast with taxonomy in https://arxiv.org/abs/2009.13018