wiki:org/meetings/2016SummerDevMeeting/Notes/AntiFingerprinting

Notes (from Arthur):

  • Information theory: the information entropy for a given fingerprintable feature is

https://wikimedia.org/api/rest_v1/media/math/render/svg/9017e7f5171f1770f8bd702487f297b77df8a907

where x_i is the ith possible value. The first factor of P gives us a way to average the entropy leaked by a heterogeneous population of browsers/devices.

  • Panopticlick is being maintained by EFF -- we can get data per useragent or browser version #. Hopefully we can use this to trigger competition between browsers in terms of fingerprinting mitigation.
  • We need to update the Tor Browser design document with the latest anti-fingerprinting measures
  • Open question: how do we get an unbiased sample of user fingerprints? People who visit panopticlick are not the average population.
  • We decided to open a wiki/git page to maintain an ongoing list of fingerprinting vectors.
  • We want to use this to encourage browsers to fix exiessting featur, and also to stop APIs from introducing new fingerprinting vectors. We also similarly want to fight new supercookies.
  • We discussed the problem of clock-based fingerprinting and this paper was suggested:

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_kohlbrenner.pdf

Here's the document we developed:

Todo:

  • better organize this list
  • create a github repo (post link here)
  • translate the list to an .md file in the github wiki page associated with the repo.

A list of Fingerprinting Metrics, Ideally Scoped by API

  • WebRTC
    • PeerConnection
    • deviceID
  • WebVR
  • WebGL
  • User agent.
  • Plugins.
  • Fonts.
  • CSS named colors.
  • HTTP accept.
  • Screen resolution.
  • Timezone.
  • Cookies enabled.
  • HTML5 canvas hacks (e.g. font rendering, etc).
  • WebGL graphics hardware capabilities.
  • WebRTC codecs.
  • Accessibility APIs.
  • Keyboard Layout.
  • Locales.
  • Clock skew.
  • CSS media queries
  • navigator.buildID
  • navigator.plugins
  • navigator.mimeTypes
  • battery API
  • audio fingerprinting
  • HSTS/HPKP supercookies
  • Scroll timing (e.g. smooth scroll enabled?).
  • Timing known asset loads to sample visited sites.
  • JS Math API
  • Countless Javascript API differences:
    • window.crypto, window.msCrypto; for IE 11
    • Anything prefixed with "webkit" or "moz".
    • Anything OS/Platform-specific. GestureEvents?!

List of Tor Browser Fingerprinting Bugs (both opened and fixed):

https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&max=200

Categories of Fingerprinting Bugs (used for Tor Browser prioritization):

https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

Last modified 12 months ago Last modified on Oct 1, 2016, 4:56:44 AM