Threat Model

OnionHat assumes a hostile and asymmetric environment. This document describes what our systems are designed to resist, what they explicitly do not protect against, and where responsibility remains with the operator or user.

This is not a promise of safety. It is an accounting of risk.

Adversaries Considered

Passive Network Observers

Actors capable of monitoring traffic patterns, timing, and metadata at various points in the network stack.

Mitigation: Traffic minimization, routing diversity, avoidance of centralized dependencies.

Active Network Interference

Actors capable of injecting, delaying, or selectively dropping traffic.

Mitigation: Redundancy, retry semantics, failure-tolerant routing.

Infrastructure Providers

Cloud vendors, registrars, CDNs, and upstream intermediaries with economic or legal leverage.

Mitigation: Minimization of third-party services, jurisdictional diversity, preference for self-operated infrastructure.

Corporate Surveillance Systems

Tracking and profiling mechanisms embedded in modern application stacks.

Mitigation: No third-party analytics, no behavioral telemetry, no embedded trackers.

Legal and Regulatory Pressure

Subpoenas, warrants, or informal compliance requests.

Mitigation: Minimal data retention, short log lifetimes, systems designed to have little to disclose.

Explicitly Out of Scope

• Endpoint compromise
• Global omniscient adversaries
• User-side insider threats
• Social engineering attacks

Claims to defend against these are not credible.

Design Assumptions

• Networks are observable
• Systems fail
• Dependencies exert power
• Logs become liabilities
• Convenience erodes autonomy

These are defaults, not edge cases.

User Responsibility

Users remain responsible for:

• Endpoint security
• Credential hygiene
• Risk evaluation
• Understanding system limits

OnionHat provides tools and documentation, not absolution.