[tor-qa] Panopticlick

Mike Perry mikeperry at torproject.org
Sun Jun 10 10:40:20 UTC 2012

Thus spake Katya Titov (kattitov at yandex.com):

> On Sat, 9 Jun 2012 22:20:31 -0700
> Mike Perry <mikeperry at torproject.org> wrote in another thread:
> > Thus spake Katya Titov (kattitov at yandex.com):
> > 
> > >  - https://panopticlick.eff.org/ - one in 223,553, 17.77 bits of
> > >                                    identifying information
> > 
> > Great test url, Katya. We have issues with how Panopticlick is run,
> > though. It has inherent bias against any change from established
> > norms, even if that change is in the direction of uniformity amongst a
> > population.
> I must admit that I'm not overly sure that the "1 in [x]" and "[x] bits
> of identifying information" are of use in an of themselves (e.g. my
> browser now "conveys at least 21.09 bits of identifying information"
> whereas it was only 17.77 just a few hours ago) but I thought I'd
> experiment with testing over time and see how the numbers change. I do
> like the table of browser characteristics. This could be useful to
> track over time, so maybe I should report the full table in future.

Yeah.. This stuff is all fungible and dependent upon a few factors.
Maybe a bunch of people showed up from some other mention of the
Panopticlick url and altered the distribution. It's really hard to say.

> > In particular, the largest sources of entropy in Panopticlick come
> > from our solutions to fingerprinting issues. The largest source of
> > bits (screen resolution) come from what is perhaps our most effective
> > reduction in information available to the fingerprinter:
> > https://trac.torproject.org/projects/tor/ticket/4810#comment:3
> Hmmm ... could you report a standard desktop resolution? Maybe the
> standard resolution just higher than the current window size? Will this
> impact the browsing experience? I imagine that this is used by a
> website when it wants to open a pop up window ... what's the impact of
> opening what the site thinks is a full-size window with a smaller
> resolution than the actual desktop size?

These are all topics for #4810. I think all of them have already been
mentioned there actually, unless I'm reading you wrong.

> It's interesting to note that by far the largest screen resolution is
> "no javascript":
> https://trac.torproject.org/projects/tor/attachment/ticket/4810/panopticlick-screen-resolution-detection.txt
> That and similar data would be useful to track what they are seeing,
> and maybe feed into what TBB should be reporting.

Yeah, this "no javascript" data point is really a shortcoming of the
panopticlick test, unfortunately.

You get the exact same data from CSS, plus quite a bit more:

> > Perhaps we should ask EFF to provide us with the Panopticlick source
> > code or so we can run a unique instance to evaluate TBB users only?
> > 
> > I've created this ticket for that:
> > https://trac.torproject.org/projects/tor/ticket/6119
> > 
> > If you have any comments or suggestions wrt the above, please comment
> > on the bugs or create a new tor-qa thread rather than reply here.
> Happy to help test when/if you get a TBB instance up and running.

Actually, I think a useragent-based filter could go a long way to making
the existing panopticlick data more useful:


Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-qa/attachments/20120610/8a642f1c/attachment.pgp>

More information about the tor-qa mailing list