People's Newsroom


The general capabilities for each threat model are explained as.


A forum poster is the weakest threat model, representing a user of an existing Web application, who does not register domains or host application content. A forum poster uses a Web application, and potentially posts active content to the application, within the provided features. Additionally, a forum poster remains standards-compliant, and cannot create HTTP(S) requests other than those he can trigger from his browser.


The Web attacker is the most common threat model encountered in papers and represents a typical attacker who is able to register domains, obtain valid certificates for these domains, host content, use other Web applications to post content to, etc. Since none of these capabilities requires a specific attacker characteristic, such as a specific physical location, every user on the Web is able to become a Web attacker. As a consequence, the capabilities of the Web attacker are considered to be the baseline for threat models in the Web, with the forum poster as the exception to the rule.


A gadget attacker is a more powerful variant of the Web attacker, where the attacker hosts a component that is wilfully integrated into the target application. Popular examples are JavaScript libraries, such as JQuery, analytics code, such as Google analytics, or widgets, such as Google Maps. The gadget attacker is extremely relevant in the context of code isolation for mashups or complex, composting sites, which integrate content from multiple stakeholders with varying trust levels.


A related-domain attacker is an extension of the Web attacker, where the attacker is able to host content in a related domain of the target application. By hosting content in such a related domain, the attacker is able to abuse certain Web features, which are bound to the parent domain. This is the case when the attacker is able to host content on a sibling or child domain of the target application, for example for the Web sites of different departments within a company.


A related-path attacker is another extension of the Web attacker and represents an attacker who hosts an application on a different path than the target application but within the same origin. This scenario occurs for example within the Web hosting of Internet Service Providers (ISPs), which often offer each of their clients a Webspace under a specific path, all within the same origin. Academic papers aptly describe this attacker and its conflicts with the Web’s security model, albeit without giving it an explicit name.


A passive network attacker is considered to be an attacker who is able to passively eavesdrop on network traffic, but cannot manipulate or spoof traffic. A passive network attacker is expected to learn all unencrypted information. Additionally, a passive network attacker can also act as a Web attacker, for which no specific requirements are needed. Depending on the system under attack, the passive network attacker may require a specific physical location to eavesdrop on the network traffic. One common example of a passive network attack is an attacker eavesdropping on unprotected wireless communications, which are ubiquitous thanks to publicly accessible wifi networks and freely available hotspots.

2013 revealed that many intelligence services across the globe have powerful traffic monitoring capabilities. These pervasive monitoring capabilities are essentially passive network attacks, albeit on a very large scale compared to the traditional passive network attacker. In response to the revelations, the IETF has drawn up a best practice, stating that specifications should account for pervasive monitoring as an attack.


An active network attacker is considered to be capable of launching active attacks on a network, for example by controlling a DNS server, spoofing network frames, offering a rogue access point, etc. An active network attacker has the ability to read, control, inject and block the contents of all unencrypted network traffic. An active network attacker is generally not considered to be capable of presenting valid certificates for HTTPS sites that are not under his control, unless by means of obtaining fraudulent certificates, or by using attacks such as SSL stripping.

Back to top button