[tor-dev] [GSOC16] Fingerprint Central - Status report n°2

Pierre Laperdrix pierre.laperdrix at irisa.fr
Mon Jun 20 11:56:46 UTC 2016


Hey,

On 06/20/2016 12:55 PM, Georg Koppen wrote:
> Hi!
> 
> Pierre Laperdrix:
>> Hi everyone,
>>
>> Here is my second status report for my GSOC project.
>> A little reminder that the repo is located on GitHub:
>> https://github.com/plaperdr/fp-central
>>
>> 1 - I have progressed faster than I expected in the last two weeks. Here
>> is everything that I have done:
>> - Storage of fingerprints in a MongoDB database
>> - Adding a small API to get statistics on stored variables
>> - Adding support of hashed variables for faster stats computation
>> - Adding collection of new attributes and support of HTTP headers
>> - Adding support of translation with the start of a French version
>>
>> 2 - I also started development of a page to tell if a user has an
>> "acceptable" fingerprint or not (I haven't pushed the code to GitHub
>> yet). So far, I'm verifying that the screen resolution is in the correct
>> bounds (i.e. not fullscreen) and that there are no plugins in the
>> browser. If anyone has any idea that I could implement to help users
>> have a less recognizable fingerprint, I'll be happy to add it. I have
>> also added steps to follow to help people better configure their browser.
>>
>> 3 - I have tried to add a webpage where I can detect the level of the
>> security slider. This way, I could give recommendations to users to
>> maybe try a higher security level or  it would be a way to know the
>> distribution of Tor users on that feature. However, it has proven to be
>> much harder than anticipated.
>> * For "Medium-low", I verify that MathML is disabled.
>> * For "High", I verify that there are either no JavaScript or no SVG
>> elements.
> 
> I think testing SVG is the safe bet here. I guess there is (still) a
> bunch of users out there that is disabling JavaScript by default and
> enabling it only when needed without bothering with the security slider.
> In fact, if you could detect this then it might be a good thing for the
> "How to improve your fingerprint" feature.
> 

I think I'll do both: a message for users without JavaScript and the
execution of the test suite for users with it.


>> * I have troubles to detect the "Medium-High" level. I tried detecting
>> the support of OpenType SVG fonts but it seems that I haven't found the
>> right set of instructions to detect a difference. I'm using a font that
>> I modified where I'm able to display a difference depending on the level
>> of the security slider but I can't detect that difference through
>> JavaScript. When SVG support is present, the displayed character is
>> bigger than the HTML element but I can't detect that it is out of
>> bounds. If anyone has any idea to detect the "Medium-high" level of the
>> security slider, I'll be very happy about it.
> 
> Loading a script with http:// should fail doing so with https://,
> however, should work. This behavior is pretty distinctive for
> Medium-High and would be my first idea for detecting this mode.
> 

I tried this morning to go a little deeper with the SVGs but with no
visible progress. In a way, it is a good news because they had security
in mind when they designed that feature. One document which confirms the
difficulties I encountered is this documentation:
https://www.microsoft.com/typography/otspec/svg.htm
In the security considerations section, they say that "script execution,
external references and interactivity" is disabled (i.e. embedding
JavaScript directly inside the SVG glyph is not possible) and the use of
"<text> and <foreignObject>" is prohibited. These are exactly what I
tried but with no success. In the end, I'll switch to the detection of
HTTP blocking.

Pierre

> Georg
> 
>> My goal in the next two weeks is to finish both the "acceptable
>> fingerprint" page and the "slider" page. I also want to start working on
>> a complete statistics page (outside of the main fingerprinting page).
>> Hopefully, in two weeks, I'll have a version that is more complete and
>> from there, I'll start digging into more complicated features like
>> dealing with returning users.
>>
>> Have a great week-end,
>> Pierre
>>
>>
>>
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>>
> 
> 
> 
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160620/20f9e544/attachment-0001.sig>


More information about the tor-dev mailing list