Consolidate todos for threats and add mitigation set outline

* Likelihood: ROUT-1, CONF-\*, AUTH-\*, IPV6-\*, CRYPT-\*

* Impact: ROUT-2, ROUT-3, NUTI-\*, DNSL-\*, EISO, TRAF-\*, NPII-\*

> TODO-HAS: Renumber C.x tables

> TODO-HAS: Add below threats

- End-point compromise

  - End-point malware hijacking traffic or recording activity

  - Unauthorised but authenticated access by a compromised node/end-point

  - Misconfigured end-point exposing authentication information

- manufacturer infra compromise & isolation bugs in a multi-tenant SaaS system

- Activity exposure via unauthorised log access

- Out-of-the-box configuration that necessarily requires modification to be secure

### C.4.x TH-UEVU: Unknown exploitable vulnerabilities

Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.

* High to Low: 

> TODO-HAS: Turn below threats into formal threats and mitigations

Threat: Reading of sensitive stored data

Threat: Deanonymization due to the use of unique egress identifiers (such as IPs)

Threat: Storing sensitive data in logs

Threat: Metadata and traffic‑analysis risks

Threat: config errors

  -TR: User interfaces, especially in regard to settings, shall be designed in a manner that prevents unintentional disabling of default security features.

Threat: Out-of-the-box configuration that necessarily requires modification to be secure

Threat: Misconfigured end-point exposing authentication information

Threat: Manufacturer infra compromise & isolation bugs in a multi-tenant SaaS system

### C.5.2 Mapping of use cases to risk factors and security profiles

| Use case | Description                 | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | SP   |

## 5.3 Risk Mitigation Sets

### 5.3.1 Introduction

### 5.3.1 General

This clause lists all the mitigations necessary to meet requirements for each security profile.

> TODO-HAS: Fill out risk mitigation sets

> TODO-HAS: Turn below threats into formal threats and mitigations

Threat: someone is trying to login to your VPN

- TR: log access attempts

Threat: attacker has access to your VPN client/network, changes config

- TR: log configuration changes

Threat: attacker deletes local logs to hide activity

- TR: send selected logs to a remote server

### 5.3. SP-1 Individual consumer required mitigations

Threat: someone (maybe VPN provider) gets access to remote logs

- TR: don't remotely log sensitive info

- TR: don't remotely log identifying info

- TR: don't remotely log anything

- TR: delete remote logs frequently

Threat: using your connection unauthorized to transmit data

### 5.3. SP-2 Privacy conscious household required mitigations

- TR: don't send data through without user's knowledge <- what is sufficient?

Threat: Transmitting data in the clear

  - using compromised keys

    - TR: key rotation

    - TR: allow for forced key expiry

### 5.3. SP-3 Journalist or activist required mitigations

- Unauthorized reads of config data

  - TR: stored in form that can only be read with authorization

  - TR: do not transmit in the clear

- Remote code execution (on client, server, element)

  - TR: mitigation: limit privileges of VPN software

  - TR: split into smaller pieces with lower privileges on some

  - TR: fuzz testing of input data?

  - note: secure design/devel outside scope of this part unless testable on product

- DNS Leaks to local network

  - TR: integrate with things that monitor traffic

Threat: Unencrypted traffic exposes private information

### 5.3. SP-4 Small organization required mitigations

: Warning when disabling encryption

  If a VPN product is capable of disabling encryption, it **shall** provide a warning against disabling encryption

Threat: Deanonymization due to the use of unique egress identifiers (such as IPs)

Threat: Storing sensitive data in logs

Threat: Split tunneling mistakes

  - TR: Route all traffic over the VPN by default

Threat: IPv6 leaks and dual‑stack issues

  - TR: Secure IPv6 Handling

Threat: Metadata and traffic‑analysis risks

  - TR: TODO (jeroen)

User interfaces, especially in regard to settings, shall be designed in a manner that prevents unintentional disabling of default security features.

User-manageable VPN settings shall be configurable in a manner that introducing unexpected punctuation or other formatting errors cannot result in a failure of encryption.

- Requirement: administrators must be able to revoke and regenerate credentials, individually or in bulk, in case of exploit

- Disable remote access for administrators?

- MFA, obviously

> TODO-HAS: Fill out risk mitigation sets