Re: [tor-dev] GSoC'16 proposal: the Torprinter project (a Panopticlick-like website)

2016-03-22 Thread Lunar 
Pierre Laperdrix:
> Thanks for the valuable feedback!
> It would be great to have the features that you cite into the website.
> For the first version, my point of view is to mainly focus on the added
> value for developers which is to add/remove tests easily and get the
> relevant data as easily as possible for them. With that, they can make
> decisions on what to do next inside the Tor browser. For subsequent
> versions, focusing on users could be really interesting if the rest
> proves to be solid and stable.

Makes sense. My main worry is that some users will be using it, even
if it's aimed at developers, and that quickly we will find ourselves
having to repeat over and over “we know about this issue, the fix is
more complicated than it seems, we're on it, but if you really worry
just switch the security slider to high”.

As long as you have that in mind, and there's a basic way to display
messages for users—this could just be a link to a wiki page—I think
it'll be ok to add fancy stuff later.

> For the internationalization, the framework that I plan to use (either
> Play or Django) supports it through templating. This means that anyone
> can contribute to the translation without writing a line of HTML. The
> main file will be in English and I'll probably do the one in French at
> the same time. One contributor who wants to help will just have to take
> the English file and translate each line without having to find
> scattered hardcoded strings through different HTML files.

Great! :) As long as it's properly i18nized, localizations can come
later. Although doing a first localization while i18ning might help you
spot missing strings.

-- 
Lunar 


signature.asc
Description: Digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] GSoC'16 proposal: the Torprinter project (a Panopticlick-like website)

2016-03-22 Thread Pierre Laperdrix 
Hi Lunar,

Thanks for the valuable feedback!
It would be great to have the features that you cite into the website.
For the first version, my point of view is to mainly focus on the added
value for developers which is to add/remove tests easily and get the
relevant data as easily as possible for them. With that, they can make
decisions on what to do next inside the Tor browser. For subsequent
versions, focusing on users could be really interesting if the rest
proves to be solid and stable.

What you described in your answer would be a more advanced version of
the "How far are you from an acceptable fingerprint?" feature that I
plan to integrate from the get-go. If the website detects that the user
has not a recommended configuration, it could give different links with
information and steps on how to fix that so that a non-tech person can
understand what they will do and what they will modify. Suggestions to
play with the security slider could be a great addition.
I'll be honest, I don't know how much of what you propose could be done
before summer's end. My timeline is a little bit rough but even if it is
not done by then, I can still add it after the GSoC period ends.

For the internationalization, the framework that I plan to use (either
Play or Django) supports it through templating. This means that anyone
can contribute to the translation without writing a line of HTML. The
main file will be in English and I'll probably do the one in French at
the same time. One contributor who wants to help will just have to take
the English file and translate each line without having to find
scattered hardcoded strings through different HTML files.

Pierre

On 03/22/2016 11:21 AM, Lunar wrote:
> Hi Pierre!
> 
> Thanks for this valuable proposal. :) Just a quick comment frome someone
> who has experienced supporting Tor users.
> 
> Georg Koppen:
>>> - How new tests should be added: A pull request? A form where
>>> submissions are reviewed by admins? A link to the Tor tracker?
>>
>> From a Tor perspective opening a ticket and posting the test there or
>> ideally having a link to a test in the ticket that is fixing the
>> fingerprinting vector seems like the preferred solution. I'd like to
>> avoid the situation where tests get added to the system and we don't
>> know about that dealing with users that are scared because of the new
>> results. So, yes, some review should be involved here.
> 
> It would be great if  you could also include ways to guide users in
> understanding the test results. From the top of my mind, it would be
> good if the application would have a way to know which Tor Browser
> version is being run. Then together with results, it would be good if
> users would get an answer to the following questions:
> 
>  * Is this the expected result?
>  * If not, is there any remediation available? At which cost?
>- This could be prompting users to upgrade to a new version.
>  Ideally include support for known tools which bundle the
>  Tor Browser, so the message could be “Upgrade to Tails 2.2”
>  for Tails users.
>- Tell them to fiddle with the security slider, with a warning
>  that they will loose some features.
>  * If there's no immediate remediation available, can they do anything?
>- Is the issue known at all? Can we then assist them to report the
>  problem in a meaningful manner? Or point them at the existing
>  ticket—with a warning that it's going to be tech+english.
>- Should they take extra precaution? Link to some documentation.
>- Do we need to collect more data? Let's guide them how.
>- Maybe it's a good opportunity to ask them for some money so we can
>  hire more browser developers?
> 
> I'm pretty sure the UX team could give input on good wordings and
> layout. And probably on the whole thing. :)
> 
> Have you consider any internationalization?
> 
> If not all of this can be implemented over the summer, just keeping it
> in mind in the design stage might help to add the required features
> later.
> 
> 
> 
> ___
> tor-dev mailing list
> tor-dev@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
> 



signature.asc
Description: OpenPGP digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] GSoC'16 proposal: the Torprinter project (a Panopticlick-like website)

2016-03-19 Thread gunes acar 
Hi Pierre,

Thanks for the very well thought proposal!

I'm curious about your ideas on the "returning device problem." EFF's
Panopticlick and AmIUnique.org use a combination of cookies and IP
address to recognize returning users - so that their fingerprints are
not "double-counted."

Since these signals will not available anymore (unless the user opt-ins
to retain the cookie), I wonder what'd be your ideas to address this issue.

Please find other responses below.

Best,
Gunes

On 2016-03-15 04:46, Pierre Laperdrix wrote:
> Hi Tor Community,
> 
> My name is Pierre and I'm really interested in participating in a GSoC
> project this year with the Tor organization. Since I've been working on
> browser fingerprinting for the past two years, I'd love to build a
> Panopticlick-like website to improve the fingerprinting defenses of the
> Tor browser.
> 
> I've included below my proposal in case anyone has ideas or suggestions,
> especially on the technical section or on some of the open questions
> that I have. (It should be noted that the Torprinter name is subject to
> change).
> 
> 
> **
> 
> Summary - The Torprinter project: a browser fingerprinting website to
> improve Tor fingerprinting defenses
> The capabilities of browser fingerprinting as a tool to track users
> online has been demonstrated by Panopticlick and other research papers
> since 2010. The Tor community is fully aware of the problem and the Tor
> browser has been modified to follow the "one fingerprint for all"
> approach. Spoofing HTTP headers, removing plugins, including bundled
> fonts, preventing canvas image extraction: these are a few examples of
> the progress made by Tor developers to protect their users against such
> threat. However, due to the constant evolution of the web and its
> underlying technologies, it has become a true challenge to always stay
> ahead of the latest fingerprinting techniques.
> I'm deeply interested in privacy and I've been studying browser
> fingerprinting for the past 2 years. I've launched 18 months ago the
> AmIUnique.org website to investigate the latest fingerprinting
> techniques. Collecting data on thousands of devices is one of the keys
> to understand and counter the fingerprinting problem.
> For this Google Summer of Code project, I propose to develop the
> Torprinter website that will run a fingerprinting test suite and collect
> data from Tor browsers to help developers design and test new defenses
> against browser fingerprinting. The website will be similar to AmIUnique
> or Panopticlick for users where they will get a complete summary with
> statistics after the test suite has been executed. It can be used to
> test new fingerprinting protection as well as making sure that
> fingerprinting-related bugs were correctly fixed with specific
> regression tests. The expected long-term impact of this project is to
> reduce the differences between Tor users and reinforce their privacy and
> anonymity online. In a second step, the website could open its doors to
> more browsers so that it could become a platform where vendors can
> implement significant changes in their browsers with regards to privacy
> and see the impact first-hand on the website. With the strong expertise
> I have acquired on the fingerprinting subject and the experience I have
> gained by developing the AmIUnique website, I believe I'm fully
> qualified to see such a project through to completion.
> 
> Website features
> The main feature of the website is to collect a set of fingerprintable
> attributes on the client and calculate the distribution of values for
> each attribute like Panopticlick or AmIUnique. The set of tests would
> not only include known fingerprinting techniques but also ones developed
> specifically for the Tor browser.
> The second main feature of the website would be for Tor users to check
> how close their current fingerprint is from the ideal unique fingerprint
> that most users should share. A list of actions should be added to help
> users configure their browser to reach this ideal fingerprint.
> The third main feature would be an API for automated tests as detailed
> by this page :
> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint
> . This would enable automatic verification of Tor protection features
> with regard to fingerprinting. When a new version is released, the
> output of specific tests will be verified to check for any
> evolution/changes/regressions from previous versions.
> The fourth main feature I'd like to include is a complete stats page
> where the user can go through every attribute and filter by OS, browser
> version and more.
> The inclusion of additional features that go beyond the core
> functionnalities of the site should be driven by the needs of the
> developers and the Tor community.
> Still, a lot of open questions remain that should be addressed during
> the bonding period

Re: [tor-dev] GSoC'16 proposal: the Torprinter project (a Panopticlick-like website)

2016-03-19 Thread Damian Johnson 
> Hi Pierre, on first glance looks like a nice proposal. Just a heads up
> though that to be considered there needs to be a prospective mentor
> for this project. Reaching out to tor-dev@ is a great first step and
> hopefully it'll do the trick, but if it doesn't try asking on the
> #tor-dev irc channel.

Oops, my bad. Missed that this was Panopticlick - gave GeKo a nudge to
take a peek. :)
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev