diff --git a/threat-model.md b/threat-model.md index da6f5de..931ee64 100644 --- a/threat-model.md +++ b/threat-model.md @@ -229,7 +229,7 @@ Capabilities: * Delete: Possible if the origin/destination is on Lou's network 4. Metadata of a communication stream * Read: Possible to read the origin/destination if the transport is linkable and the origin/destination is on Lou's network - * Update: Possible if the origin/destination is on Lou's network (delaying the stream) + * Update: Possible if the origin/destination is on Lou's network (spoofing addresses, truncating/extending/delaying the stream) * Delete: Possible if the origin/destination is on Lou's network 5. Existence of a contact relationship between two users * Read: Possible if one of the users sends a stream to the other, and the transport is linkable, and the origin or destination is on Lou's network. Possible if the users add each other as contacts using Lou's network @@ -248,7 +248,7 @@ Capabilities: * Delete: Possible if the stream crosses Rex's network 4. Metadata of a communication stream * Read: Possible to read the origin and destination if the transport is linkable and the stream crosses Rex's network - * Update: Possible if the stream crosses Rex's network (delaying the stream) + * Update: Possible if the stream crosses Rex's network (spoofing addresses, truncating/extending/delaying the stream) * Delete: Possible if the stream crosses Rex's network 5. Existence of a contact relationship between two users * Read: Possible if one of the users sends a stream to the other, and the transport is linkable, and the stream crosses Rex's network @@ -283,43 +283,43 @@ Phil can sign into Alice's account if: * Phil can brute-force the account credentials 5. Existence of a contact relationship between two users - * Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice while she is signed in + * Read: Possible if Phil observes the users adding each other as contacts. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice using the app 6. Number of a user's contacts - * Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, if Phil observes Alice using the app 7. Number of two users' mutual contacts - * Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible to read a lower bound using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible to read a lower bound using the rules for reading the existence of a contact relationship between users. Possible to read a lower bound using the rules for Alice, if Phil observes Alice using the app 8. Identities of a user's contacts - * Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice while she is signed in + * Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible using the rules for Alice, and the rules for reading which user owns a nym, if Phil observes Alice using the app 9. Identities of two users' mutual contacts - * Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible to read a subset using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible to read a subset using the rules for reading the existence of a contact relationship between users. Possible to read a subset using the rules for Alice, if Phil observes Alice using the app 10. A user's participation in a group - * Read: Possible if Phil observes the user while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app 11. Existence of a contact relationship between two nyms: - * Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible using the rules for reading the existence of a contact relationship between two users, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app 12. Number of a nym's contacts - * Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible using the rules for reading the number of a user's contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice, if Phil observes Alice using the app 13. Number of two nyms' mutual contacts - * Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice ,if Phil observes Alice while she is signed in + * Read: Possible using the rules for reading the number of two users' mutual contacts, and the rules for reading which user owns a nym. Possible using the rules for Alice ,if Phil observes Alice using the app 14. Nyms of a nym's contacts - * Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible using the rules for reading the identities of a user's contacts, the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app 15. Nyms of two nyms' mutual contacts - * Read: Possible using the rules for reading the identities of two users' mutual contacts , the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible using the rules for reading the identities of two users' mutual contacts , the rules for reading which user owns a nym, and the rules for reading which nym a user owns. Possible using the rules for Alice, if Phil observes Alice using the app 16. A nym's participation in a group - * Read: Possible if Phil observes the nym's owner while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible if Phil observes the nym's owner using the app. Possible using the rules for Alice, if Phil observes Alice using the app 17. Which user owns a nym - * Read: Possible if Phil observes the user while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app 18. Which nym a user owns - * Read: Possible if Phil observes the user while she is signed in. Possible using the rules for Alice, if Phil observes Alice while she is signed in + * Read: Possible if Phil observes the user using the app. Possible using the rules for Alice, if Phil observes Alice using the app