js-shield
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hi folks: Master thesis in evaluating anti-fingerprinting browser ex


From: Tomer Yavor
Subject: Re: Hi folks: Master thesis in evaluating anti-fingerprinting browser extensions for ff
Date: Fri, 1 Mar 2024 17:55:23 +0100
User-agent: Mozilla Thunderbird

Sorry for the late respond.

Thank you very much that a lot of great ideas!
I like the idea of working on FF API's for web workers. I will get in
touch with my old colleagues and ask them if they have use/interest in
such an API.

Further, I will consult my supervisor, if you already have a student
working on something similar to PETInspector it might be unnecessary to
dive to deep into it from my site.

Instead focusing on more features and a maybe smaller evaluation might
be the way to go for my thesis. I will update you as soon as I figured
out how much I change my thesis direction. That is of course also
related to my supervisors opinion :)

Thanks again!

Best regards
Tomer


On 28.02.24 12:23, Libor Polčák wrote:
Hello Tomer,

Thank you for your introduction. Please see my comments inline.

Hi folks,
Hope you all well.
This mail has the purpose to present myself and describe what and why
I want to contribute.
I don't want to annoy anyone of this mailing list, so if you are not
interested, feel free to skip this mail :)

My name is Tomer, currently doing my masters in Cyber Security at
Hasso-Plattner Institute in Potsdam, Germany. My supervisor is Dr.
Anne Kayem of Hasso-Plattner Institute.
My thesis is not totally fixed yet (will be registered in march), but
I am strongly aiming to make a new version of evaluating
Anti-Fingerprinting browser extensions, like in
https://dl.acm.org/doi/pdf/10.1145/3308558.3313703 with up-to-date
extensions (like JShelter) and focused on Firefox browser.

That's great. I am also looking at that paper. My CCed student is
currently working on making an environment similar to PETInspector
that will be able to (a) test JShelter with the plan to replace
integration and system tests and (b) evaluate other extensions or
JShelter and other extensions in combination. It would be great if our
work was useful to you. Can I instruct my student to introduce her
project to you? Maybe we can arrange a presentation for one of the
future JShelter meetings.

Our plan is to integrate Selenium manager so that multiple browsers
and multiple versions can be tested.

If you go in this direction, I can also give you some opinions about
what such research should consider. Like maybe one should not expect
that a single webextension can handle all issues, like active, passive
fingerprinting, adblocking etc. There is also a problem that browser
extensions are limited by the APIs that are available to them. So PET
browsers like Brave or Tor Browser have advantage in this area. I
think that researchers should distinguish them and maybe also consider
questions like do webextensions make sense or do users need a privacy
preserving browser to be protected?

There is also the question about different strategies to anti-browser
fingerprinting and how to evaluate them. AFAIR PETInspector only
considered masked/true values. But an API that is not masked might
reveal only a few bits of entropy. I think it is more useful to have a
working strategy than beating other extensions in number of masked APIs.

Additionally, I want to add to the evaluation aspects like visibility
of enabled privacy extensions which might lead to user discrimination.

Do I understand correctly that you mean fingeprinting side-effects of
extensions? Like APIs missing, additional JavaScript properties,
inconsistencies etc.? Yes, that is also a problem. Consequent research
question is if fingerprinting scripts in the wild gather such
information.

Do you also plan to elaborate on the exact effects of user
discrimination?

Further, I would like to develop some features to JShelter and that's
why I am writing you. I would love to hear your opinions (or ideas)
about the features I thought might be interesting to add.

Two features I thought might be worth to add/ adjust:

  * More precises Web Worker blocking. Since it leads to a lot of
breakage (I tested the 50 most visited websites according to
Wikipedia, excluding porn sites, and it broke 9 of them like
WhatsAppWeb, ChatGPT, Linkedin, Spotify, etc.). You also have an
issue tracking that already
https://pagure.io/JShelter/webextension/issue/130.

We had several discussions on this topic, although so far we did not
see exact numbers on this topic. Honestly, I can imagine a thesis just
on this topic. I guess, you saw
https://pagure.io/JShelter/webextension/issue/80. Briefly, current
status is that:

* We need to inject code in Firefox through privileged APIs where
running arbitrary page code is dangerous. Giorgio has more details but
see https://jshelter.org/fixing-mv3/,
https://github.com/w3c/webextensions/issues/536,
https://github.com/w3c/webextensions/issues/538,
https://github.com/w3c/webextensions/issues/539, and
https://bugzilla.mozilla.org/show_bug.cgi?id=1736575 for new
webextension APIs that would allow webextensions to inject their code
into JS environment before page scripts start running in each context.
Given your experience with Firefox, it would be great if you
considered developing these APIs either directly to Firefox or as an
experimental feature that could later be integrated to Firefox.
* Without the APIs, developing cross-browser reliable and safe Worker
replacement is to hard (is it even possbible?) and time consuming for
our team.

  *   Trim referrer info in HTTP header (small feature) if request is
cross site, to reduce traceability

I supervised a diploma thesis on (similar) topic, see
https://www.vut.cz/www_base/zav_prace_soubor_verejne.php?file_id=252692.
In brief, there are other extensions that can control referrer header.
So my personal view is that adding just this functionality might be
seen by the users as JShelter is enough to combat passive
fingerprinting. Also my experience is that simple removal of Referer
means broken sites. So if you want to go this way, consider something
more advanced. We have an issue for this topic
https://pagure.io/JShelter/webextension/issue/44.

If you have any ideas or concerns I would be glad to hear them.

* https://pagure.io/JShelter/webextension/issue/69 I feel like the
current behaviour in spoofing WebGL constants generates bad publicity.
* https://pagure.io/JShelter/webextension/issue/66 I would like to see
a possibility to control events in JShelter.
* https://pagure.io/JShelter/webextension/issue/34 The interaction of
RfP with JShelter (and other extensions) is an unexplored territory.
* https://pagure.io/JShelter/webextension/issue/33 JShelter needs to
solve how to replace wrappers injecting Proxy objects in Firefox. I
just got an idea, given your experience in Firefox, there is an option
to make Firefox compatible with Chrome and allow Proxies instead of
the proxied objects in the affexted APIs.
* https://pagure.io/JShelter/webextension/issue/20 There is an idea to
let the community tweak behaviour on some pages (like changing the
configuration of Workers on specific pages).


Maybe relevant points about me (and browser security in my vita):

  * Worked in the past for Firefox Security Infrastructure team as a
working student (2 years)
      o Was involved in HTTPS-Only Mode of FF, HTTPS-First or
Mixed-content upgrading


JShelter seems to me like a very interesting project and I would love
to contribute. Also was very positively surprise how fast you folks
response on the repo!

I work at Brno University of Technology and I have experience with
many students that worked on JShelter. We would be grateful if you can
contribute to JShelter or privacy webextensions in general.

Actually, I would not ask for much support but would be glad to get
ideas and (if there is the possibility on some point) anonymous
insight how much affect a feature I implement have had on users usage.

I can give you active user numbers, like those that were used to
generate Figure 6 in https://arxiv.org/pdf/2204.01392.pdf. There are
also some more stats in AMO.

My thesis will be free and open for anyone, and I am planning to cite
your papers.


If you have any questions, don't hesitate to ask me, you can reach
out to me also in private. I would be glad to answer or to discuss
ideas :)

Great.

Have fun with your thesis and let us know how it develops.

Libor



reply via email to

[Prev in Thread] Current Thread [Next in Thread]