Re: Hi folks: Master thesis in evaluating anti-fingerprinting browser extensions for ff

[Libor Polčák]

Hello Tomer,

Thank you for your introduction. Please see my comments inline.

> Hi folks,
> Hope you all well.
> This mail has the purpose to present myself and describe what and why I want to 
> contribute.
> I don't want to annoy anyone of this mailing list, so if you are not 
> interested, feel free to skip this mail :)
>
> My name is Tomer, currently doing my masters in Cyber Security at 
> Hasso-Plattner Institute in Potsdam, Germany. My supervisor is Dr. Anne Kayem 
> of Hasso-Plattner Institute.
> My thesis is not totally fixed yet (will be registered in march), but I am 
> strongly aiming to make a new version of evaluating Anti-Fingerprinting browser 
> extensions, like in https://dl.acm.org/doi/pdf/10.1145/3308558.3313703 with 
> up-to-date extensions (like JShelter) and focused on Firefox browser.

That's great. I am also looking at that paper. My CCed student is currently 
working on making an environment similar to PETInspector that will be able to 
(a) test JShelter with the plan to replace integration and system tests and (b) 
evaluate other extensions or JShelter and other extensions in combination. It 
would be great if our work was useful to you. Can I instruct my student to 
introduce her project to you? Maybe we can arrange a presentation for one of 
the future JShelter meetings.

Our plan is to integrate Selenium manager so that multiple browsers and 
multiple versions can be tested.

If you go in this direction, I can also give you some opinions about what such 
research should consider. Like maybe one should not expect that a single 
webextension can handle all issues, like active, passive fingerprinting, 
adblocking etc. There is also a problem that browser extensions are limited by 
the APIs that are available to them. So PET browsers like Brave or Tor Browser 
have advantage in this area. I think that researchers should distinguish them 
and maybe also consider questions like do webextensions make sense or do users 
need a privacy preserving browser to be protected?

There is also the question about different strategies to anti-browser 
fingerprinting and how to evaluate them. AFAIR PETInspector only considered 
masked/true values. But an API that is not masked might reveal only a few bits 
of entropy. I think it is more useful to have a working strategy than beating 
other extensions in number of masked APIs.

> Additionally, I want to add to the evaluation aspects like visibility of 
> enabled privacy extensions which might lead to user discrimination.

Do I understand correctly that you mean fingeprinting side-effects of 
extensions? Like APIs missing, additional JavaScript properties, 
inconsistencies etc.? Yes, that is also a problem. Consequent research question 
is if fingerprinting scripts in the wild gather such information.

Do you also plan to elaborate on the exact effects of user discrimination?

> Further, I would like to develop some features to JShelter and that's why I am 
> writing you. I would love to hear your opinions (or ideas) about the features I 
> thought might be interesting to add.
>
> Two features I thought might be worth to add/ adjust:
>
>   * More precises Web Worker blocking. Since it leads to a lot of breakage (I 
> tested the 50 most visited websites according to Wikipedia, excluding porn 
> sites, and it broke 9 of them like WhatsAppWeb, ChatGPT, Linkedin, Spotify, 
> etc.). You also have an issue tracking that already 
> https://pagure.io/JShelter/webextension/issue/130.

We had several discussions on this topic, although so far we did not see exact 
numbers on this topic. Honestly, I can imagine a thesis just on this topic. I 
guess, you saw https://pagure.io/JShelter/webextension/issue/80. Briefly, 
current status is that:

* We need to inject code in Firefox through privileged APIs where running 
arbitrary page code is dangerous. Giorgio has more details but see 
https://jshelter.org/fixing-mv3/, 
https://github.com/w3c/webextensions/issues/536, 
https://github.com/w3c/webextensions/issues/538, 
https://github.com/w3c/webextensions/issues/539, and 
https://bugzilla.mozilla.org/show_bug.cgi?id=1736575 for new webextension APIs 
that would allow webextensions to inject their code into JS environment before 
page scripts start running in each context. Given your experience with Firefox, 
it would be great if you considered developing these APIs either directly to 
Firefox or as an experimental feature that could later be integrated to Firefox.
* Without the APIs, developing cross-browser reliable and safe Worker 
replacement is to hard (is it even possbible?) and time consuming for our team.

>   *   Trim referrer info in HTTP header (small feature) if request is cross 
> site, to reduce traceability

I supervised a diploma thesis on (similar) topic, see 
https://www.vut.cz/www_base/zav_prace_soubor_verejne.php?file_id=252692. In 
brief, there are other extensions that can control referrer header. So my 
personal view is that adding just this functionality might be seen by the users 
as JShelter is enough to combat passive fingerprinting. Also my experience is 
that simple removal of Referer means broken sites. So if you want to go this 
way, consider something more advanced. We have an issue for this topic 
https://pagure.io/JShelter/webextension/issue/44.

> If you have any ideas or concerns I would be glad to hear them.

* https://pagure.io/JShelter/webextension/issue/69 I feel like the current 
behaviour in spoofing WebGL constants generates bad publicity.
* https://pagure.io/JShelter/webextension/issue/66 I would like to see a 
possibility to control events in JShelter.
* https://pagure.io/JShelter/webextension/issue/34 The interaction of RfP with 
JShelter (and other extensions) is an unexplored territory.
* https://pagure.io/JShelter/webextension/issue/33 JShelter needs to solve how 
to replace wrappers injecting Proxy objects in Firefox. I just got an idea, 
given your experience in Firefox, there is an option to make Firefox compatible 
with Chrome and allow Proxies instead of the proxied objects in the affexted 
APIs.
* https://pagure.io/JShelter/webextension/issue/20 There is an idea to let the 
community tweak behaviour on some pages (like changing the configuration of 
Workers on specific pages).

> Maybe relevant points about me (and browser security in my vita):
>
>   * Worked in the past for Firefox Security Infrastructure team as a working 
> student (2 years)
>       o Was involved in HTTPS-Only Mode of FF, HTTPS-First or Mixed-content 
> upgrading
>
>
> JShelter seems to me like a very interesting project and I would love to 
> contribute. Also was very positively surprise how fast you folks response on 
> the repo!

I work at Brno University of Technology and I have experience with many 
students that worked on JShelter. We would be grateful if you can contribute to 
JShelter or privacy webextensions in general.

> Actually, I would not ask for much support but would be glad to get ideas and 
> (if there is the possibility on some point) anonymous insight how much affect a 
> feature I implement have had on users usage.

I can give you active user numbers, like those that were used to generate 
Figure 6 in https://arxiv.org/pdf/2204.01392.pdf. There are also some more 
stats in AMO.

> My thesis will be free and open for anyone, and I am planning to cite your 
> papers.
>
>
> If you have any questions, don't hesitate to ask me, you can reach out to me 
> also in private. I would be glad to answer or to discuss ideas :)

Great.

Have fun with your thesis and let us know how it develops.

Libor