[tor-dev] Panopticlick summer project

Gunes Acar gunes.acar at esat.kuleuven.be
Sat Apr 19 05:48:23 UTC 2014

Hash: SHA1

Sorry everyone for the long pause.

I wrote down a proposal (and some code) to address issues raised by
Mike and George:

Looking for your comments and critics...

On 03/21/2014 11:39 PM, Peter Eckersley wrote:
> I think we're fine with open sourcing under the Affero GPLv3.
> On Tue, Mar 18, 2014 at 12:28:12PM -0700, Mike Perry wrote:
>> Yan Zhu:
>>> On 03/17/2014 04:41 AM, Gunes Acar wrote:
>>>> Hi Yan,
>>>> Glad that you're interested in the project. It'd be very nice
>>>> collaborate with you on this.
>>>> Indeed, we've been corresponding with Peter for a related
>>>> project and I mentioned my intention to work as a middleman
>>>> between EFF and Tor.
>>> Great, it seems that Peter and I are both interested and
>>> willing to help.
>>> Regarding 
>>> https://trac.torproject.org/projects/tor/ticket/6119#comment:10,
>>> Peter says he has some reluctance to open source the project
>>> (not the data) because it might make it easier for some
>>> websites to track visitors without their consent.
>> This might have been a valid concern 5 years ago, but now it's
>> just a joke. The tests on Panopticlick are ancient, widely known,
>> easy to reproduce, and since then much more severe and invasive
>> mechanisms of fingerprinting have since been developed/deployed
>> in modern browsers.
>> Moreover, only 2 of the tests it performs actually apply to Tor
>> Browser users.
>> Banks in particular have already deployed some of the techniques
>> we've fixed that the EFF study entirely predates. And these
>> techniques are far higher entropy than browser resolution (such
>> as localhost open port enumeration, OS theme fingerprinting, and
>> HTML5+WebGL canvas rendering+extraction+hashing).
>> Not only should we (as Tor) publicly provide tests and
>> easy-to-deploy working PoC code for all of these vectors, we
>> should also endeavor to detail cases where major browser vendors
>> are ignoring or exacerbating this problem, and make it easy for
>> everyone to test and observe this behavior themselves.
>> Not sure if that means the EFF now has a conflict of interest
>> with this project for some ridiculous reason, but frankly any
>> attempt at trying to "hide" these techniques is downright silly.
>> They are too well known (most are publicly documented elsewhere,
>> or at least on our bugtracker), and there's waaay too much money
>> on the other side of the fence in terms of incentives to develop
>> and deploy working attacks.
>> Further, starting the from EFF codebase might also be a hindrance
>> to us. It is not designed for measuring the effects of defenses.
>> In fact, its measurement mechanisms actively penalize any attempt
>> at defense development (because any approach to alter browser
>> behavior instantly makes you more unique than the previous
>> userbase).
>> I actually think Panopticlick has of late done more to prevent
>> browser fingerprinting defense development than to encourage it.
>> I would really like to see it DIAF.
>> Here's hoping we can make something better!
>> -- Mike Perry

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the tor-dev mailing list