[tor-dev] Panopticlick summer project

Gunes Acar gunes.acar at esat.kuleuven.be
Mon Mar 17 11:41:03 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Yan,

Glad that you're interested in the project.
It'd be very nice collaborate with you on this.

Indeed, we've been corresponding with Peter for a related project and
I mentioned my intention to work as a middleman between EFF and Tor.

In addition to Peter, it'd be very nice to hear what Tor side thinks,
especially the potential mentors Nicolas, Mike and Georg.

Cheers,
Gunes

On 03/17/2014 11:44 AM, Yan Zhu wrote:
> (resending to tor-dev because the original message didn't go
> through)
> 
> On 03/16/2014 11:52 PM, Yan Zhu wrote:
>> On 03/16/2014 07:59 PM, Gunes Acar wrote:
>>> Dear All,
>>> 
>>> My name is Gunes Acar, a 2nd year PhD student at Computer
>>> Security and Industrial Cryptography (COSIC) group of
>>> University of Leuven.
>>> 
>>> I work with Prof. Claudia Diaz and study online tracking and
>>> browser fingerprinting. I'd like to work on "Panopticlick" 
>>> (https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick)
>>>
>>> 
summer
>>> project and other fingerprinting related issues which I tried
>>> to outline below:
>> 
>> Hi Gunes,
>> 
>> I think all of these projects below would primarily be with EFF,
>> not Tor directly. Peter and/or I would be your point of contact;
>> I'm not familiar enough with Panopticlick at this time to give
>> you much feedback on the ideas below, so I cc'ed Peter.
>> 
>>> 
>>> 1) Collaborate with Peter at EFF to port/open-source
>>> Panopticlick: 
>>> https://trac.torproject.org/projects/tor/ticket/6119#comment:4 
>>> a) implement necessary modifications - e.g. we won't be having
>>> cookies or real IP addresses to match returning visitors. b)
>>> consider security implications of storing fingerprints (e.g.
>>> what happens if someone gets access to fingerprint database?)
>> 
>> Peter, what's the blocker on this? It sounds like Tor folks
>> really want it to happen soon, so I'm happy to take the lead on
>> helping get this open-sourced from the EFF side.
>> 
>>> 
>>> 2) Add machine-readability support outlined in Tor Automation 
>>> proposals: 
>>> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint
>>>
>>> 
a) which one(s) should we implement? JSON, YAML, XML?
>> 
>> No input here.
>> 
>>> 
>>> 3) Survey the literature for fingerprinting attacks published
>>> since Panopticlick. Implement those that may apply to TBB: a)
>>> Canvas & WebGL fingerprinting (Mowery et al.) - make sure the
>>> patch at #6253 works b) JS engine fingerprinting (Mulazzani et
>>> al.) c) CSS & rendering engine fingerprinting, (Unger et al.)
>> 
>> This sounds greatly useful. Another good place to look is
>> Mozilla's bug tracker (https://bugzilla.mozilla.org/).
>> 
>>> 4) Check with realworld fingerprinting scripts to see if they
>>> collect anything that is not considered before. Check if TBB's
>>> FP countermeasures work against them. (We can use data from
>>> FPDetective study to find sites with fingerprinting scripts)
>> 
>> Same as above.
>> 
>>> 5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick
>>> in case they consider an update.
>> 
>> Yes, I'm happy to get those updates into EFF's instance.
>> 
>>> 6) Convert fixed FP-related bugs into regression tests. 
>>> https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=closed
>>>
>>>
>>> 
7) Build test cases to check the severity of fingerprinting related
>>> open tickets, e.g.: 
>>> https://trac.torproject.org/projects/tor/ticket/8770 
>>> https://trac.torproject.org/projects/tor/ticket/10299
>>> 
>>> 8) Work on potential fingerprinting bugs that ESR31 may bring.
>>> 
>>> 9) ESR transitions seem to create a lot of FP-related issues
>>> that need to be checked manually (e.g. #9608). Consider
>>> developing a tool that iterates over the host objects of two
>>> browsers to compare them automatically (e.g. to pinpoint new
>>> objects, new methods, updated default values, etc.). Similar to
>>> "diff tool" mentioned here: 
>>> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint
>>>
>>>
>>> 
10) Evaluate the font-limits of TBB by checking the average # of fonts
>>> Top 1 Million sites use. We can either collect fresh data with 
>>> FPDetective or use the existing (~1 year old) data.
>> 
>> All of the above sounds fine.
>> 
>> Assuming that we can get Panopticlick open-sourced, I'm more than
>> happy to help you with any of these subprojects.
>> 
>> -Yan (EFF Staff Technologist / HTTPS Everywhere maintainer)
>> 
> 
> _______________________________________________ tor-dev mailing
> list tor-dev at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTJt9OAAoJEPb7JcMmVt4gYagH/1UXZvWk373q5itGGECA+9T/
NXh2lIQbTZE9GKpPELhkxNHxScQ74e5Wgu3OBnOT4v5qHChhu5IhyISLnQ1nIMoA
9q1WjlVKWOGGB7eem7FCyuat8If0ZukINcG2P6f5VoWPpkkOXqtM5LiDZkVWwDmQ
OFN4tYMgwJR4EgGDF7B79uQaYVNidpBtebsU8hK6ulTYKlyPRdtaCkNBqgTTRMqZ
FhyCl9KUmT7Z9zQKOnHLPZL7PKVyP18Mu0rzKp0rSC9yKahR7UZW+ax8hLAkvF5E
+chN7CPzujCQwd+WfzC9pJEHMeJhknjmGCjA6xgbfeRen6a1mu7siiUAEM9htGg=
=EVkv
-----END PGP SIGNATURE-----

More information about the tor-dev mailing list