19:00:20 <GeKo> #startmeeting tor browser 19:00:20 <MeetBot> Meeting started Mon Feb 26 19:00:20 2018 UTC. The chair is GeKo. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:20 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 19:00:31 <GeKo> t0mmy: https://storm.torproject.org/shared/tHoN4Ii7rLSjPE0OP4gydX4cMGadsXmRQNc-6lwru0N 19:00:33 <GeKo> and welcome 19:00:53 <arthuredelstein> hi everyone 19:00:55 <GeKo> hi all for a new meeting 19:00:57 <t0mmy> GeKo thanks! 19:01:03 <isabela> hello 19:01:11 <GeKo> the pad link is above, please add your items if you did not have already 19:01:20 <isabela> kk 19:01:29 <GeKo> and read through and flag items of other in case you want to discuss them 19:01:55 <boklm> hi 19:02:53 <sysrqb> o/ 19:03:46 <igt0> !!! 19:03:58 * antonela is lurking 19:04:14 <tjr> \o 19:05:22 <pospeselr> hi hello 19:05:46 <GeKo> alright 19:05:58 <GeKo> tjr is not the first one today :) 19:06:10 <GeKo> igt0: you are up 19:06:54 * igt0 typing 19:08:57 <igt0> So last week after reading the comments in the #25013 and talking wit sysrqb I changed my approach, now I am trying to make tor button a system extension. And I am using mozilla central. So the problem about mozilla central is because it deprecated a bunch of things so I am updating the extension to use the latest APIs or css properties. 19:09:43 <igt0> so i wonder if someone already tried to rebase tor patches on top of the m-c or ff59. So I could use it. Since I could run the tests. 19:10:48 <igt0> sysrqb, told me in the #tor-project that arthuredelstein is working a branch that we could use it :) 19:10:51 <tjr> Hm. System Extensions use internal APIs that are not guaranteed to be maintained, not change, or even keep existing. What's in there for 60 will stay there; but if you intend to follow Mozilla's releases, you will find yourself in trouble eventually. I don't know if that will be 62 or 68 or what, but eventually something you rely on will disappear 19:10:52 <sysrqb> I assume it depends on how many of the patches are uplifted before ESR60 is released 19:12:05 <sysrqb> I think system addons are an easy solution for the next ~6 months 19:12:15 <sysrqb> we'll likely need a better, ong term, solution by then 19:12:18 <sysrqb> *long 19:12:32 <GeKo> yes 19:12:50 <GeKo> i don't see it as a long-term solution either 19:12:53 <sysrqb> i chatted with some addon devs, aswan in particular, and they (roughly)agreed 19:13:26 <sysrqb> not that they were hapy, but they didn't see another immediate solution 19:13:43 <GeKo> ok, good 19:13:46 <sysrqb> err, happy 19:14:38 <arthuredelstein> I guess when internal APIs disappear, then the torbutton or torlauncher code will break regardless of whether it is a system extension or an internal module 19:14:47 <arthuredelstein> So we'll need to keep revising either way 19:15:10 <arthuredelstein> until the functionality in question becomes part of Firefox itself 19:15:19 <GeKo> yep 19:15:20 <sysrqb> I already ran into that with torlaucher, Mozilla riped out old APIs after legacy extensions were deprecated 19:15:40 <sysrqb> luckily it was easily fixed 19:16:50 <GeKo> igt0: so where are we with your issue from the pad? 19:17:55 <igt0> GeKo, sysrqb answered :), I can keep working on m-c until we uplift tor patches. 19:18:00 <GeKo> k 19:18:30 <GeKo> i see we don'tave anything else marked bold, great 19:18:39 <GeKo> then let's move on to the disucssion 19:19:09 <GeKo> t0mmy: do you want to say something about that potential grant? 19:19:15 <t0mmy> sure thing 19:19:40 <t0mmy> hi all -- I think I've chatted to all of you, but just in case, hi, I'm Tor's grant writer 19:19:48 <pospeselr> o/ 19:20:21 <t0mmy> FB has a call for proposals out for $100k to research privacy-preserving technology that'll benefit end users. 19:20:27 <t0mmy> https://research.fb.com/programs/research-awards/proposals/secure-the-internet-grants/ 19:21:15 <sysrqb> huh. 19:21:49 <t0mmy> Given their focus on end users, I think "research" in this instance isn't limited to papers, etc. I'm treating it as "research and deploy" in the sense of "think about the problem a bit and then do a thing." I think we could get this money for the browser team, and so I wanted to check in and get a sense of what sort of work this proposal could 19:21:58 <t0mmy> cover. 19:22:23 <t0mmy> GeKo and I have already talked a bit about research to fight fingerprinting, but I'm all ears. /end 19:22:58 <arthuredelstein> Does it need to be a new project? 19:23:55 <t0mmy> I don't believe so; no indication on the site. 19:24:12 <tjr> Not sure what the fingerprinting discussion was, but 'fixing' canvas fingerprinting once and for all could be a good topic/subtopic 19:24:34 <GeKo> the discussion was how to solve best fingerprinting 19:24:47 <GeKo> it's basically an unresolved research problem 19:25:08 <GeKo> should we try to hide all users in a group (as we try) 19:25:22 <GeKo> or should we rather try a randomization approach 19:25:28 <GeKo> or a hybrid one? 19:25:47 <tjr> You should talk to Stephen about this in Rome too :) 19:25:58 <GeKo> there is a section for that in our design doc citing papers etc. 19:25:59 <GeKo> sure 19:26:39 <mcs> I wonder if the fingerprinting area is too much in need of basic research (vs. the applied research focus mentioned on the fb.com page)? But it would be good to do more in that area. 19:27:11 <GeKo> mcs: in which regard basic research vs. applied research? 19:27:23 <t0mmy> Yeah, they do want a timeline with deliverables (e.g. tools) as part of the proposal. 19:27:52 <mcs> Do we know enough to be able to provide a timeline for something that would provide practical benefits to end-users? 19:28:41 <mcs> In other words, does more fundamental/academic style research need to be done first? I don’t know the answer. 19:29:00 <mcs> (the fb.com RFP seems to be asking for deployable results) 19:29:42 <mcs> I will also add that fingerprinting is not my area of expertise, so other should have a better sense of what could be proposed. 19:29:50 <mcs> s/other/other people/ 19:29:59 <tjr> (I was wondering if there was a build/packaging proposal in here somewhere with reproducible builds, PTs, or something like that but perhaps not, as they aren' very end usery.) 19:30:53 <t0mmy> PTs are very end-user-y, especially for FB, but it's my understanding that we'd have to hire someone new and that's a lot of overhead 19:31:05 <GeKo> yep 19:31:22 <arthuredelstein> One idea might be trying to build the next iteration of tor-launcher with "1-click" setup. User chooses their country, and PT/bridges get auto-setup. Would require "research" from OONI side, UX research, and implementation. 19:32:18 <antonela> arthuredelstein: oh <3 19:32:23 <GeKo> well, not just from the OONI and UX side 19:32:39 <mcs> arthuredelstein: +1 to that idea, but we need tor things too 19:32:41 <GeKo> the hard part is estimating the dangers of a auto-setup 19:32:56 <GeKo> *an 19:33:00 <arthuredelstein> you're right, that as well. 19:33:13 <arthuredelstein> All bad problems are an opportunity for research :) 19:33:23 <GeKo> heh 19:33:42 <sysrqb> i guess the next question is "who does the research?" 19:34:13 <sysrqb> do we partner with a research group? 19:34:35 <GeKo> we could. 19:34:47 <GeKo> or we could try to do researchy stuff ourselves 19:34:54 <GeKo> using our fpcentral 19:35:13 <GeKo> and getting things implemented directly into tor browser :) 19:35:21 <sysrqb> mmm, that's true 19:35:43 <GeKo> the risk i see is that we can do less dev work this way 19:35:52 <sysrqb> measuring the risk associated with probing PTs would be more difficult for us 19:35:58 <sysrqb> yeah 19:36:01 <GeKo> i agree 19:36:03 <arthuredelstein> Another basic form of fingerprinting research I think would be useful is just to look very careful at every single web API and CSS API and find new ways of fingerprinting (and mitigations) 19:36:23 <GeKo> true 19:36:27 <arthuredelstein> I think there are bound to be a number we have missed 19:36:52 <GeKo> the question again is whether we should apply to get that work done 19:37:11 <GeKo> we could use that while preparing for a new esr, true 19:37:59 <igt0> a tool/framework/crawler to detect fingerprinting, it would be amazing. 19:39:06 <GeKo> t0mmy: okay, i think we have some additional ideas. i think i'd like to hear arma's input as well 19:39:17 <GeKo> as i think he had some ideas/suggestions 19:39:30 <GeKo> what was the deadline for that proposal? 19:39:40 <t0mmy> he did. let's circle back on this when armadev's back in a few days 19:39:44 <GeKo> (the fb site is currently not opening in my tor browser) 19:39:54 <GeKo> ok. 19:40:00 <t0mmy> March 31, so we have some time. If we'd like to go for it, I'd like to have the idea cemented by March 10 or thereabouts 19:40:18 <GeKo> sounds like a thing to discuss at the dev meeting :) 19:40:35 <GeKo> at least to hammer some details down 19:40:48 <t0mmy> For sure! I won't be around but y'all can report back. =) 19:41:01 <GeKo> sure. thanks for joining us today! 19:41:08 <t0mmy> thanks for having me! 19:41:23 <GeKo> does anyone else have additional things for the meeting? 19:42:11 <GeKo> thanks all then! *baf* 19:42:16 <GeKo> #endmeeting