[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Tor Friendliness Scanner

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Tor Friendliness Scanner
From: Kevin Gallagher <kcg295@xxxxxxx>
Date: Sat, 16 Mar 2019 17:29:36 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 16 Mar 2019 17:29:59 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nyu.edu; h=reply-to : subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=20180315; bh=znAYwSuDy+hY0XuoyJYrKyVhWMLgsPWRRbz6bxGTDWE=; b=DVfCu+S1ySZBVglo0KEXBGM3C80fFmAEwG8NxuNiScZCNbQhOGFg+q1WLcOm1zId0h8c 4m0TlASGJIJXNzn4cYQgguihI7HGBrZaGpLFbJA/+GeEAbgqc/7kqjaTJd04X15n0N2A g1/uiX9NzUj1oWCacxjJT9tj+lh8F8j/SyodsPVimnGK+tcqDK8jDJWzqJegISUizCx4 nH9tSCriuJaAFHDajj7SHpXzMJnUtEB8VsBUw+4Uh8SQtdah1pbJCUF66jBT/h/+KxEU Olisk1KQK8cBWJ/MWnEzJJEVRLl7MRFaMqocir1cr89KOXIo0pJmHZQdCojcKdcKMMGA xA==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nyu-edu.20150623.gappssmtp.com; s=20150623; h=reply-to:subject:to:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=znAYwSuDy+hY0XuoyJYrKyVhWMLgsPWRRbz6bxGTDWE=; b=Afadvsjg4HA0iSLDCcy35umYWmJ1thzB+JK7HEs1EIJKUkCMhwfQmFNrFTAlgG3cV6 Tie9+8WSpt2xwT2iXN2HGYYs4TJWWxz2UTeLHG9mJTwuEmT3uNmtMv8P/GshWVOXqEcr Wn85VGFY1kSY/wi8N0IfE+z7mVw2d/x+zt820AasDG7XmoCDmZ40yir3auw6HbbtQfms fygyQfwGddwxHVoOhZTP4ER2IZdfEVFE2Xl+manTETyl3drfR0DtjoJiXWkpL84XSv0k LU4nNil6o9HN9afCx1Fqj59jBldHPncSc6BbIl59wGNE922T/h5ppDM29YpXB8LsGVYR Sjrg==
In-reply-to: <80ff2fca-d164-61d4-642b-afd46e5cda4e@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Organization: New York University
References: <b4c64cac-014b-8f70-6361-882b5259916e@nyu.edu> <80ff2fca-d164-61d4-642b-afd46e5cda4e@torproject.org>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3

Hello everyone!

Thanks for the feedback! Please see my inline comments.

Santiago:

> I wonder if you could share a link to the source code for people to give
> you feedback/audit or implement fixes/features themselves.

I will be posting the source code once I'm a little further along.

Roger:

> (1)

> Looking at the DOM tree reminds me of Micah's paper from a few yearsback:

> "Validating Web Content with Senser"
> https://security.cs.georgetown.edu/~msherr/pubs.php

This is very interesting! Earlier on I had considered using Merkle Treesfor this project as well, but we are currently looking at other, moresuitable options.


Roger:

> and (2)
> Be sure to check out the recent papers by the Berkeley group on this
> area, e.g.  the "do you see what I see" paper and more recent ones:
> https://www1.icsi.berkeley.edu/~sadia/

Yes, I have read many of these! The "Do you see what I see" paper wasdefinitely one of the inspirations for this, as well as some results ofmy previous work.


Gunner:

> It may or may not be of any use, but here is a content from an etherpad
> that a number of Tor folks worked on a while back regarding 'tor
> friendly sites"

Thanks for sending this! The results of this project will definitelysupplement this etherpad with things that we find are broken "in thewild," either as a foreseen result of the design choices of the TorBrowser or by unforeseen consequence.


grarpamp:

> You may be interested in this coupled pair of projects that
> may be studying a similar question from a different perspective.
> Note their needs list which might include integrating elements
> of your platform, OONI, etc.

Thanks for bringing these to our attention! These are certainlyinteresting projects that I think could benefit from the findings of ourwork, when we get there. We may be able to supplement the lists that arealready built up with more information of services that don't outrightblock Tor, but make it difficult to anonymously use their Web service byrelying on functionality that is dangerous to anonymity and blocked onTor Browser.


Georg:

> What are your criteria for saying "this is broken in Tor Browser" vs.
> "this is just rendered slightly different in Tor Browser"? For instance
> I suspect that you'd even get different ground-truths depending on the
> major Firefox version you use (like Firefox 65 vs. Firefox 60 ESR), yet
> you would hardly say "This is okay in Firefox 65 but broken in Firefox
> 60 ESR". Or maybe there *are* cases where you would say so? What I am
> saying is: mapping the creation of the DOM tree and logging JS execution
> might be a good means for you goal (I am not sure yet) but it does not
> seem to be sufficient to reach it.

There is some legitimate concern here, and the reason that my e-mail hasbeen so late is because I've been considering this. The main observationhere is that, as far as I know, the Tor Browser is a modification of aFirefox ESR, not an entirely stand-alone browser. The goal, then, is totake as ground truth the closest version of Firefox that we can.

The Tor Browser starts as a Firefox ESR release and then has changesapplied to it (patches, extensions, etc). If we use the FF ESR releaseassociated with the most current TB, then we can count that as "groundtruth," since the comparison should isolate to only the changes made toFF to turn it into TTB.


Georg:

> Secondly, I am wondering how you plan to deal with the fact that
> websites show different content if the logic behind them assumes you
> come from a different country/region. How does that get incorporated
> into your ground-truth, for example?

The way we intended to do this was to send our FF "ground-truth"collection through Tor, and specifically through the same exit node asTTB uses. This way we can isolate the variable to the differences in thebrowsers, rather than any network or other concerns. In addition, we areworking on developing a method for determining if content is dynamicallygenerated (and therefore different every time), or broken.

I hope this addressed all concerns, and if not, or if there is morefeedback, please let me know!


Thanks,

Kevin

--
Kevin Gallagher
Ph.D. Candidate
Center For Cybersecurity
NYU Tandon School of Engineering
Key Fingerprint: D02B 25CB 0F7D E276 06C3  BF08 53E4 C50F 8247 4861

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Tor Friendliness Scanner
  - From: Ryan Duff

References:
- [tor-dev] Tor Friendliness Scanner
  - From: Kevin Gallagher
- Re: [tor-dev] Tor Friendliness Scanner
  - From: Georg Koppen

Prev by Author: [tor-dev] Tor Friendliness Scanner
Next by Author: [tor-dev] Orbot and Tor on Android Q
Previous by thread: Re: [tor-dev] Tor Friendliness Scanner
Next by thread: Re: [tor-dev] Tor Friendliness Scanner
Index(es):
- Author
- Thread