[tor-dev] Panopticlick summer project
yan at torproject.org
Mon Mar 17 10:44:19 UTC 2014
(resending to tor-dev because the original message didn't go through)
On 03/16/2014 11:52 PM, Yan Zhu wrote:
> On 03/16/2014 07:59 PM, Gunes Acar wrote:
>> Dear All,
>> My name is Gunes Acar, a 2nd year PhD student at Computer Security and
>> Industrial Cryptography (COSIC) group of University of Leuven.
>> I work with Prof. Claudia Diaz and study online tracking and browser
>> fingerprinting. I'd like to work on "Panopticlick"
>> project and other fingerprinting related issues which I tried to
>> outline below:
> Hi Gunes,
> I think all of these projects below would primarily be with EFF, not Tor
> directly. Peter and/or I would be your point of contact; I'm not
> familiar enough with Panopticlick at this time to give you much feedback
> on the ideas below, so I cc'ed Peter.
>> 1) Collaborate with Peter at EFF to port/open-source Panopticlick:
>> a) implement necessary modifications - e.g. we won't be having cookies
>> or real IP addresses to match returning visitors.
>> b) consider security implications of storing fingerprints (e.g. what
>> happens if someone gets access to fingerprint database?)
> Peter, what's the blocker on this? It sounds like Tor folks really want
> it to happen soon, so I'm happy to take the lead on helping get this
> open-sourced from the EFF side.
>> 2) Add machine-readability support outlined in Tor Automation
>> a) which one(s) should we implement? JSON, YAML, XML?
> No input here.
>> 3) Survey the literature for fingerprinting attacks published since
>> Panopticlick. Implement those that may apply to TBB:
>> a) Canvas & WebGL fingerprinting (Mowery et al.) - make sure the patch
>> at #6253 works
>> b) JS engine fingerprinting (Mulazzani et al.)
>> c) CSS & rendering engine fingerprinting, (Unger et al.)
> This sounds greatly useful. Another good place to look is Mozilla's bug
> tracker (https://bugzilla.mozilla.org/).
>> 4) Check with realworld fingerprinting scripts to see if they collect
>> anything that is not considered before. Check if TBB's FP
>> countermeasures work against them. (We can use data from FPDetective
>> study to find sites with fingerprinting scripts)
> Same as above.
>> 5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick in case
>> they consider an update.
> Yes, I'm happy to get those updates into EFF's instance.
>> 6) Convert fixed FP-related bugs into regression tests.
>> 7) Build test cases to check the severity of fingerprinting related
>> open tickets, e.g.:
>> 8) Work on potential fingerprinting bugs that ESR31 may bring.
>> 9) ESR transitions seem to create a lot of FP-related issues that need
>> to be checked manually (e.g. #9608). Consider developing a tool that
>> iterates over the host objects of two browsers to compare them
>> automatically (e.g. to pinpoint new objects, new methods, updated
>> default values, etc.). Similar to "diff tool" mentioned here:
>> 10) Evaluate the font-limits of TBB by checking the average # of fonts
>> Top 1 Million sites use. We can either collect fresh data with
>> FPDetective or use the existing (~1 year old) data.
> All of the above sounds fine.
> Assuming that we can get Panopticlick open-sourced, I'm more than happy
> to help you with any of these subprojects.
> (EFF Staff Technologist / HTTPS Everywhere maintainer)
More information about the tor-dev