[tor-dev] Panopticlick summer project

Mike Perry mikeperry at torproject.org
Tue Mar 18 19:28:12 UTC 2014


Yan Zhu:
> On 03/17/2014 04:41 AM, Gunes Acar wrote:
> > Hi Yan,
> > 
> > Glad that you're interested in the project.
> > It'd be very nice collaborate with you on this.
> > 
> > Indeed, we've been corresponding with Peter for a related project and
> > I mentioned my intention to work as a middleman between EFF and Tor.
> > 
> 
> Great, it seems that Peter and I are both interested and willing to help.
> 
> Regarding
> https://trac.torproject.org/projects/tor/ticket/6119#comment:10, Peter
> says he has some reluctance to open source the project (not the data)
> because it might make it easier for some websites to track visitors
> without their consent.

This might have been a valid concern 5 years ago, but now it's just a
joke. The tests on Panopticlick are ancient, widely known, easy to
reproduce, and since then much more severe and invasive mechanisms of
fingerprinting have since been developed/deployed in modern browsers.

Moreover, only 2 of the tests it performs actually apply to Tor Browser
users.

Banks in particular have already deployed some of the techniques we've
fixed that the EFF study entirely predates. And these techniques are far
higher entropy than browser resolution (such as localhost open port
enumeration, OS theme fingerprinting, and HTML5+WebGL canvas
rendering+extraction+hashing).

Not only should we (as Tor) publicly provide tests and easy-to-deploy
working PoC code for all of these vectors, we should also endeavor to
detail cases where major browser vendors are ignoring or exacerbating
this problem, and make it easy for everyone to test and observe this
behavior themselves.

Not sure if that means the EFF now has a conflict of interest with this
project for some ridiculous reason, but frankly any attempt at trying to
"hide" these techniques is downright silly. They are too well known
(most are publicly documented elsewhere, or at least on our bugtracker),
and there's waaay too much money on the other side of the fence in terms
of incentives to develop and deploy working attacks.

Further, starting the from EFF codebase might also be a hindrance to us.
It is not designed for measuring the effects of defenses. In fact, its
measurement mechanisms actively penalize any attempt at defense
development (because any approach to alter browser behavior instantly
makes you more unique than the previous userbase).

I actually think Panopticlick has of late done more to prevent browser
fingerprinting defense development than to encourage it. I would really
like to see it DIAF.

Here's hoping we can make something better!

-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140318/b6d6bec3/attachment.sig>


More information about the tor-dev mailing list