[tor-dev] [GSOC16] Fingerprint Central - Status report n°2

Pierre Laperdrix pierre.laperdrix at irisa.fr
Mon Jun 20 11:56:46 UTC 2016


On 06/20/2016 12:55 PM, Georg Koppen wrote:
> Hi!
> Pierre Laperdrix:
>> Hi everyone,
>> Here is my second status report for my GSOC project.
>> A little reminder that the repo is located on GitHub:
>> https://github.com/plaperdr/fp-central
>> 1 - I have progressed faster than I expected in the last two weeks. Here
>> is everything that I have done:
>> - Storage of fingerprints in a MongoDB database
>> - Adding a small API to get statistics on stored variables
>> - Adding support of hashed variables for faster stats computation
>> - Adding collection of new attributes and support of HTTP headers
>> - Adding support of translation with the start of a French version
>> 2 - I also started development of a page to tell if a user has an
>> "acceptable" fingerprint or not (I haven't pushed the code to GitHub
>> yet). So far, I'm verifying that the screen resolution is in the correct
>> bounds (i.e. not fullscreen) and that there are no plugins in the
>> browser. If anyone has any idea that I could implement to help users
>> have a less recognizable fingerprint, I'll be happy to add it. I have
>> also added steps to follow to help people better configure their browser.
>> 3 - I have tried to add a webpage where I can detect the level of the
>> security slider. This way, I could give recommendations to users to
>> maybe try a higher security level or  it would be a way to know the
>> distribution of Tor users on that feature. However, it has proven to be
>> much harder than anticipated.
>> * For "Medium-low", I verify that MathML is disabled.
>> * For "High", I verify that there are either no JavaScript or no SVG
>> elements.
> I think testing SVG is the safe bet here. I guess there is (still) a
> bunch of users out there that is disabling JavaScript by default and
> enabling it only when needed without bothering with the security slider.
> In fact, if you could detect this then it might be a good thing for the
> "How to improve your fingerprint" feature.

I think I'll do both: a message for users without JavaScript and the
execution of the test suite for users with it.

>> * I have troubles to detect the "Medium-High" level. I tried detecting
>> the support of OpenType SVG fonts but it seems that I haven't found the
>> right set of instructions to detect a difference. I'm using a font that
>> I modified where I'm able to display a difference depending on the level
>> of the security slider but I can't detect that difference through
>> JavaScript. When SVG support is present, the displayed character is
>> bigger than the HTML element but I can't detect that it is out of
>> bounds. If anyone has any idea to detect the "Medium-high" level of the
>> security slider, I'll be very happy about it.
> Loading a script with http:// should fail doing so with https://,
> however, should work. This behavior is pretty distinctive for
> Medium-High and would be my first idea for detecting this mode.

I tried this morning to go a little deeper with the SVGs but with no
visible progress. In a way, it is a good news because they had security
in mind when they designed that feature. One document which confirms the
difficulties I encountered is this documentation:
In the security considerations section, they say that "script execution,
external references and interactivity" is disabled (i.e. embedding
JavaScript directly inside the SVG glyph is not possible) and the use of
"<text> and <foreignObject>" is prohibited. These are exactly what I
tried but with no success. In the end, I'll switch to the detection of
HTTP blocking.


> Georg
>> My goal in the next two weeks is to finish both the "acceptable
>> fingerprint" page and the "slider" page. I also want to start working on
>> a complete statistics page (outside of the main fingerprinting page).
>> Hopefully, in two weeks, I'll have a version that is more complete and
>> from there, I'll start digging into more complicated features like
>> dealing with returning users.
>> Have a great week-end,
>> Pierre
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160620/20f9e544/attachment-0001.sig>

More information about the tor-dev mailing list