<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"file:///usr/share/sgml/docbook/xml-dtd-4.4-1.0-30.1/docbookx.dtd">
<article id="design">
<articleinfo>
<title>Torbutton Design Documentation</title>
<author>
<firstname>Mike</firstname><surname>Perry</surname>
<affiliation>
<address><email>mikeperry.fscked/org</email></address>
</affiliation>
</author>
<pubdate>Apr 10 2011</pubdate>
</articleinfo>
<sect1>
<title>Introduction</title>
<para>
This document describes the goals, operation, and testing procedures of the
Torbutton Firefox extension. It is current as of Torbutton 1.3.2.
</para>
<sect2 id="adversary">
<title>Adversary Model</title>
<para>
A Tor web browser adversary has a number of goals, capabilities, and attack
types that can be used to guide us towards a set of requirements for the
Torbutton extension. Let's start with the goals.
</para>
<sect3 id="adversarygoals">
<title>Adversary Goals</title>
<orderedlist>
<!-- These aren't really commands.. But it's the closest I could find in an
acceptable style.. Don't really want to make my own stylesheet -->
<listitem><command>Bypassing proxy settings</command>
<para>The adversary's primary goal is direct compromise and bypass of
Tor, causing the user to directly connect to an IP of the adversary's
choosing.</para>
</listitem>
<listitem><command>Correlation of Tor vs Non-Tor Activity</command>
<para>If direct proxy bypass is not possible, the adversary will likely
happily settle for the ability to correlate something a user did via Tor with
their non-Tor activity. This can be done with cookies, cache identifiers,
javascript events, and even CSS. Sometimes the fact that a user uses Tor may
be enough for some authorities.</para>
</listitem>
<listitem><command>History disclosure</command>