[tor-dev] Panopticlick summer project
gunes.acar at esat.kuleuven.be
Mon Mar 17 02:59:46 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
My name is Gunes Acar, a 2nd year PhD student at Computer Security and
Industrial Cryptography (COSIC) group of University of Leuven.
I work with Prof. Claudia Diaz and study online tracking and browser
fingerprinting. I'd like to work on "Panopticlick"
project and other fingerprinting related issues which I tried to
1) Collaborate with Peter at EFF to port/open-source Panopticlick:
a) implement necessary modifications - e.g. we won't be having cookies
or real IP addresses to match returning visitors.
b) consider security implications of storing fingerprints (e.g. what
happens if someone gets access to fingerprint database?)
2) Add machine-readability support outlined in Tor Automation
a) which one(s) should we implement? JSON, YAML, XML?
3) Survey the literature for fingerprinting attacks published since
Panopticlick. Implement those that may apply to TBB:
a) Canvas & WebGL fingerprinting (Mowery et al.) - make sure the patch
at #6253 works
b) JS engine fingerprinting (Mulazzani et al.)
c) CSS & rendering engine fingerprinting, (Unger et al.)
4) Check with realworld fingerprinting scripts to see if they collect
anything that is not considered before. Check if TBB's FP
countermeasures work against them. (We can use data from FPDetective
study to find sites with fingerprinting scripts)
5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick in case
they consider an update.
6) Convert fixed FP-related bugs into regression tests.
7) Build test cases to check the severity of fingerprinting related
open tickets, e.g.:
8) Work on potential fingerprinting bugs that ESR31 may bring.
9) ESR transitions seem to create a lot of FP-related issues that need
to be checked manually (e.g. #9608). Consider developing a tool that
iterates over the host objects of two browsers to compare them
automatically (e.g. to pinpoint new objects, new methods, updated
default values, etc.). Similar to "diff tool" mentioned here:
10) Evaluate the font-limits of TBB by checking the average # of fonts
Top 1 Million sites use. We can either collect fresh data with
FPDetective or use the existing (~1 year old) data.
More on my background relevant to fingerprinting and TBB code base:
We recently published a paper called "FPDetective: Dusting the Web for
Fingerprinters" (CCS'13) to measure the prevalence of browser
fingerprinting on the Internet. As a part of this study, we built
instrumented browsers from Chromium and PhantomJS source code and
developed a framework to detect fingerprinting
I also got my hands dirty with the TBB source code to seek
vulnerabilities in FP countermeasures. Two ways I found to circumvent
existing font limits were as follows:
My website: http://www.esat.kuleuven.be/cosic/?page_id=126
FPDetective website: https://www.cosic.esat.kuleuven.be/fpdetective/
My (first & only) Tor patch:
My Tor FAQ profile: http://tor.stackexchange.com/users/731/gacar
Looking for your comments,
N.B.: I won't be applying to GSoC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the tor-dev