[tor-dev] Panopticlick summer project
Yan Zhu
yan at torproject.org
Mon Mar 17 10:44:19 UTC 2014
(resending to tor-dev because the original message didn't go through)
On 03/16/2014 11:52 PM, Yan Zhu wrote:
> On 03/16/2014 07:59 PM, Gunes Acar wrote:
>> Dear All,
>>
>> My name is Gunes Acar, a 2nd year PhD student at Computer Security and
>> Industrial Cryptography (COSIC) group of University of Leuven.
>>
>> I work with Prof. Claudia Diaz and study online tracking and browser
>> fingerprinting. I'd like to work on "Panopticlick"
>> (https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick)
>> summer
>> project and other fingerprinting related issues which I tried to
>> outline below:
>
> Hi Gunes,
>
> I think all of these projects below would primarily be with EFF, not Tor
> directly. Peter and/or I would be your point of contact; I'm not
> familiar enough with Panopticlick at this time to give you much feedback
> on the ideas below, so I cc'ed Peter.
>
>>
>> 1) Collaborate with Peter at EFF to port/open-source Panopticlick:
>> https://trac.torproject.org/projects/tor/ticket/6119#comment:4
>> a) implement necessary modifications - e.g. we won't be having cookies
>> or real IP addresses to match returning visitors.
>> b) consider security implications of storing fingerprints (e.g. what
>> happens if someone gets access to fingerprint database?)
>
> Peter, what's the blocker on this? It sounds like Tor folks really want
> it to happen soon, so I'm happy to take the lead on helping get this
> open-sourced from the EFF side.
>
>>
>> 2) Add machine-readability support outlined in Tor Automation
>> proposals:
>> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint
>> a) which one(s) should we implement? JSON, YAML, XML?
>
> No input here.
>
>>
>> 3) Survey the literature for fingerprinting attacks published since
>> Panopticlick. Implement those that may apply to TBB:
>> a) Canvas & WebGL fingerprinting (Mowery et al.) - make sure the patch
>> at #6253 works
>> b) JS engine fingerprinting (Mulazzani et al.)
>> c) CSS & rendering engine fingerprinting, (Unger et al.)
>
> This sounds greatly useful. Another good place to look is Mozilla's bug
> tracker (https://bugzilla.mozilla.org/).
>
>> 4) Check with realworld fingerprinting scripts to see if they collect
>> anything that is not considered before. Check if TBB's FP
>> countermeasures work against them. (We can use data from FPDetective
>> study to find sites with fingerprinting scripts)
>
> Same as above.
>
>> 5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick in case
>> they consider an update.
>
> Yes, I'm happy to get those updates into EFF's instance.
>
>> 6) Convert fixed FP-related bugs into regression tests.
>> https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=closed
>>
>> 7) Build test cases to check the severity of fingerprinting related
>> open tickets, e.g.:
>> https://trac.torproject.org/projects/tor/ticket/8770
>> https://trac.torproject.org/projects/tor/ticket/10299
>>
>> 8) Work on potential fingerprinting bugs that ESR31 may bring.
>>
>> 9) ESR transitions seem to create a lot of FP-related issues that need
>> to be checked manually (e.g. #9608). Consider developing a tool that
>> iterates over the host objects of two browsers to compare them
>> automatically (e.g. to pinpoint new objects, new methods, updated
>> default values, etc.). Similar to "diff tool" mentioned here:
>> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint
>>
>> 10) Evaluate the font-limits of TBB by checking the average # of fonts
>> Top 1 Million sites use. We can either collect fresh data with
>> FPDetective or use the existing (~1 year old) data.
>
> All of the above sounds fine.
>
> Assuming that we can get Panopticlick open-sourced, I'm more than happy
> to help you with any of these subprojects.
>
> -Yan
> (EFF Staff Technologist / HTTPS Everywhere maintainer)
>
More information about the tor-dev
mailing list