(resending to tor-dev because the original message didn't go through) On 03/16/2014 11:52 PM, Yan Zhu wrote: > On 03/16/2014 07:59 PM, Gunes Acar wrote: >> Dear All, >> >> My name is Gunes Acar, a 2nd year PhD student at Computer Security and >> Industrial Cryptography (COSIC) group of University of Leuven. >> >> I work with Prof. Claudia Diaz and study online tracking and browser >> fingerprinting. I'd like to work on "Panopticlick" >> (https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick) >> summer >> project and other fingerprinting related issues which I tried to >> outline below: > > Hi Gunes, > > I think all of these projects below would primarily be with EFF, not Tor > directly. Peter and/or I would be your point of contact; I'm not > familiar enough with Panopticlick at this time to give you much feedback > on the ideas below, so I cc'ed Peter. > >> >> 1) Collaborate with Peter@EFF to port/open-source Panopticlick: >> https://trac.torproject.org/projects/tor/ticket/6119#comment:4 >> a) implement necessary modifications - e.g. we won't be having cookies >> or real IP addresses to match returning visitors. >> b) consider security implications of storing fingerprints (e.g. what >> happens if someone gets access to fingerprint database?) > > Peter, what's the blocker on this? It sounds like Tor folks really want > it to happen soon, so I'm happy to take the lead on helping get this > open-sourced from the EFF side. > >> >> 2) Add machine-readability support outlined in Tor Automation >> proposals: >> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint >> a) which one(s) should we implement? JSON, YAML, XML? > > No input here. > >> >> 3) Survey the literature for fingerprinting attacks published since >> Panopticlick. Implement those that may apply to TBB: >> a) Canvas & WebGL fingerprinting (Mowery et al.) - make sure the patch >> at #6253 works >> b) JS engine fingerprinting (Mulazzani et al.) >> c) CSS & rendering engine fingerprinting, (Unger et al.) > > This sounds greatly useful. Another good place to look is Mozilla's bug > tracker (https://bugzilla.mozilla.org/). > >> 4) Check with realworld fingerprinting scripts to see if they collect >> anything that is not considered before. Check if TBB's FP >> countermeasures work against them. (We can use data from FPDetective >> study to find sites with fingerprinting scripts) > > Same as above. > >> 5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick in case >> they consider an update. > > Yes, I'm happy to get those updates into EFF's instance. > >> 6) Convert fixed FP-related bugs into regression tests. >> https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=closed >> >> 7) Build test cases to check the severity of fingerprinting related >> open tickets, e.g.: >> https://trac.torproject.org/projects/tor/ticket/8770 >> https://trac.torproject.org/projects/tor/ticket/10299 >> >> 8) Work on potential fingerprinting bugs that ESR31 may bring. >> >> 9) ESR transitions seem to create a lot of FP-related issues that need >> to be checked manually (e.g. #9608). Consider developing a tool that >> iterates over the host objects of two browsers to compare them >> automatically (e.g. to pinpoint new objects, new methods, updated >> default values, etc.). Similar to "diff tool" mentioned here: >> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint >> >> 10) Evaluate the font-limits of TBB by checking the average # of fonts >> Top 1 Million sites use. We can either collect fresh data with >> FPDetective or use the existing (~1 year old) data. > > All of the above sounds fine. > > Assuming that we can get Panopticlick open-sourced, I'm more than happy > to help you with any of these subprojects. > > -Yan > (EFF Staff Technologist / HTTPS Everywhere maintainer) >
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
