Opened 15 months ago

Last modified 3 months ago

#18097 new defect

Font fingerprinting defenses roadmap (parent ticket)

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-fonts
Cc: gk, mcs, dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.

Here's an overview of our approach:

In #13313, we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux. (For the Linux Tor Browser bundle, we do not use the "font.system.whitelist" pref. Instead we bundle all fonts and use a fonts.conf file to restrict the browser to use only the bundled fonts.)

This whitelisting mechanism protects against font enumeration attacks, such as http://www.lalit.org/lab/javascript-css-font-detect/. Our whitelisting patch applies to CSS font-family and src:local (#17759) queries and also the Canvas font property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

In #16707 we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In #17220 we added some standard Math fonts to the whitelist. And in #17250 and #17661, we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also #17999.

David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see #16672.

We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see #16312.

Our #13313 patch whitelists fonts by name, so it likely allows a font installed on the system to supersede a font bundled with the browser if they have the same font name. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see #16739.

Child Tickets

TicketSummaryOwner
#13313Enable bundled fonts in Tor Browsertbb-team
#16312Limit font queries by URL bar domainarthuredelstein
#16672Text rendering allows font fingerprintingarthuredelstein
#16686Migrate all font fingerprinting patches to tor-browser.gitarthuredelstein
#16707Packaged fonts in Tor Browser make websites partly unreadable on OS X and Windowstbb-team
#16724Tor Browser 5.0a4 crashes with fonts.conf filetbb-team
#16739Whitelist fonts by filename rather than font nametbb-team
#16740Font defense in 5.0a4 crashes OS X 10.6.8tbb-team
#17220math symbols not supported by font whitelisttbb-team
#17250Japanese font(s) look ugly on websitestbb-team
#17661Mac OS: whitelist the font .Helvetica Neue DeskInterfacetbb-team
#17759font whitelist fails to stop local fonts in @font-facetbb-team
#17785Unit tests for font whitelisting patchtbb-team
#17999Changed default GUI font might help fingerprinting JA Windows userstbb-team
#18169Tor Browser 5.5 misses whitelisted zh-CN UI fontarthuredelstein
#18172Emoji support is broken in Tor Browser 5.5tbb-team
#18205Restrict font whitelist patch to apply only to non-chrome contexts?tbb-team
#18234Font fingerprinting defenses broken on Windowstbb-team
#18297Tor browser uses Chinese-style glyphs to display Japanesetbb-team
#18364Tor Browser in Gnu+Linux doesn't support Dingbats properlytbb-team
#20820Add font support for Shift-JIStbb-team
#20842Proposal: Improve Tor Browser font whitelist / bundled fonts
#21385Ensure fonts are always loaded in the same ordertbb-team

Change History (8)

comment:1 Changed 15 months ago by arthuredelstein

  • Description modified (diff)

comment:2 Changed 15 months ago by bugzilla

  • Keywords tbb-fingerprinting-fonts added; tbb-font-fingerprinting removed

comment:3 Changed 15 months ago by mcs

  • Cc mcs added

comment:4 Changed 15 months ago by dcf

  • Cc dcf added

comment:5 in reply to: ↑ description Changed 15 months ago by gk

Replying to arthuredelstein:

In #13313, we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux.

I stumbled over that one while preparing the changelog for 5.5 and after some digging it occurred to me that we dropped the font.system.whitelist approach for Linux by shipping all the bundles ourselves and use the fonts.conf mechanism. We might want to clarify that point more in the description.

comment:6 Changed 15 months ago by arthuredelstein

  • Description modified (diff)

comment:7 follow-up: Changed 3 months ago by vegansalad

I love that Tor Browser is worried about font fingerprinting defenses!

It, however, seems to be breaking parts of the Tor Browser's Trac page for Gnu+Linux TBB users though. #18860

From what I can tell, this seems to be due to the fact that the Tor Browser in Gnu+Linux doesn't support Dingbats properly. #18364

Does anyone have any idea why this is the case? I'm having trouble figuring out what is going on.

I was told that NotoEmoji-Regular.ttf is currently bundled in Tor Browser #18172#comment:29

Based on the pictures, it seems like maybe it should have dingbats covered in the font: https://www.google.com/get/noto/#emoji-zsye

So, I'm curious, why are dingbats not working in TBB on Gnu+Linux? Is it because it doesn't have any fonts whitelisted that include all dingbats? Or is the whitelisted font that allows dingbats to work not working for some reason? Does this have to do with #16739 at all?

comment:8 in reply to: ↑ 7 Changed 3 months ago by arthuredelstein

Replying to vegansalad:

I love that Tor Browser is worried about font fingerprinting defenses!

It, however, seems to be breaking parts of the Tor Browser's Trac page for Gnu+Linux TBB users though. #18860

From what I can tell, this seems to be due to the fact that the Tor Browser in Gnu+Linux doesn't support Dingbats properly. #18364

Does anyone have any idea why this is the case? I'm having trouble figuring out what is going on.

I was told that NotoEmoji-Regular.ttf is currently bundled in Tor Browser #18172#comment:29

Based on the pictures, it seems like maybe it should have dingbats covered in the font: https://www.google.com/get/noto/#emoji-zsye

So, I'm curious, why are dingbats not working in TBB on Gnu+Linux? Is it because it doesn't have any fonts whitelisted that include all dingbats? Or is the whitelisted font that allows dingbats to work not working for some reason? Does this have to do with #16739 at all?

Hi vegansalad,

Thanks for reporting this problem. Please keep it all comments on it on one ticket, though! :) I think #18364 is probably the best place for that discussion.

Note: See TracTickets for help on using tickets.