[tor-bugs] #6119 [Applications/Quality Assurance and Testing]: Create our own instance of Panopticlick

Sun May 29 18:54:20 UTC 2016

#6119: Create our own instance of Panopticlick
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:
     Type:  project                              |  cypherpunks
 Priority:  Very High                            |         Status:  new
Component:  Applications/Quality Assurance and   |      Milestone:
  Testing                                        |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-fingerprinting                   |  Actual Points:
Parent ID:  #5292                                |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:31 qSKvY]:
 > Replying to [comment:30 arthuredelstein]:
 > >
 > > This is great. I noticed a bug in the font detection in
 fingerprintjs2, which I have reported there:
 https://github.com/Valve/fingerprintjs2/pull/159
 > >
 > Thanks. I updated the code for that test.
 >
 > >
 > > On thing that might be interesting is to look at CSS-only
 fingerprinting techniques, because users often disable JS in Tor Browser.
 Tor Browser protects against quite a lot of CSS attacks, but it's possible
 more protection is needed. I did one such experiment here:
 https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
 > That's a neat test. I'd be interested in modifying it and putting it on
 my site, if you don't mind.

 Yes, feel free to use it.

 > Do you have a way of reporting the results back to the server?
 > I think reporting the results back to the server without using JS is a
 big hurdle, but if it was possible a CSS-only fingerprinting attack would
 be very powerful.

 My demo does report to a server. There's a separate media query that makes
 a unique HTTP request for each possible width and for each possible
 height. For example, if the screen width is 193px, then the following
 media query matches:
 {{{
 @media (width: 193px) { #width { background-image:
 url("http://dummyimage.com/50x30/fff/000&text=193&dim=width"); } }
 }}}
 The image [http://dummyimage.com/50x30/fff/000&text=193&dim=width] is
 therefore requested, which results in the number 193 being displayed in
 the page. But if you wanted to use this to record screen sizes on your own
 server instead, you could provide a `background-image: url(...)` that
 points to your server, with the matched width in a query string.

 Here's the script I used to generate the CSS file:
 https://raw.githubusercontent.com/arthuredelstein/tordemos/gh-pages
 /generate-size-query-demo

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6119#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online