Font fingerprinting defenses roadmap (parent ticket)
|Reported by:||arthuredelstein||Owned by:||tbb-team|
|Cc:||gk, mcs, dcf||Actual Points:|
Description (last modified by arthuredelstein)
Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.
Here's an overview of our approach:
In #13313, we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux. (For the Linux Tor Browser bundle, we do not use the "font.system.whitelist" pref. Instead we bundle all fonts and use a fonts.conf file to restrict the browser to use only the bundled fonts.)
In #16707 we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In #17220 we added some standard Math fonts to the whitelist. And in #17250 and #17661, we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also #17999.
David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see #16672.
We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see #16312.
Our #13313 patch whitelists fonts by name, so it likely allows a font installed on the system to supersede a font bundled with the browser if they have the same font name. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see #16739.
|#13313||Enable bundled fonts in Tor Browser||tbb-team|
|#16312||Limit font queries by URL bar domain||arthuredelstein|
|#16672||Text rendering allows font fingerprinting||arthuredelstein|
|#16686||Migrate all font fingerprinting patches to tor-browser.git||arthuredelstein|
|#16707||Packaged fonts in Tor Browser make websites partly unreadable on OS X and Windows||tbb-team|
|#16724||Tor Browser 5.0a4 crashes with fonts.conf file||tbb-team|
|#16739||Whitelist fonts by filename rather than font name||tbb-team|
|#16740||Font defense in 5.0a4 crashes OS X 10.6.8||tbb-team|
|#17220||math symbols not supported by font whitelist||tbb-team|
|#17250||Japanese font(s) look ugly on websites||tbb-team|
|#17661||Mac OS: whitelist the font .Helvetica Neue DeskInterface||tbb-team|
|#17759||font whitelist fails to stop local fonts in @font-face||tbb-team|
|#17785||Unit tests for font whitelisting patch||tbb-team|
|#17999||Changed default GUI font might help fingerprinting JA Windows users||tbb-team|
|#18169||Tor Browser 5.5 misses whitelisted zh-CN UI font||arthuredelstein|
|#18172||Emoji support is broken in Tor Browser 5.5||tbb-team|
|#18205||Restrict font whitelist patch to apply only to non-chrome contexts?||tbb-team|
|#18234||Font fingerprinting defenses broken on Windows||tbb-team|
|#18297||Tor browser uses Chinese-style glyphs to display Japanese||tbb-team|
|#18364||Tor Browser in Gnu+Linux doesn't support Dingbats properly||tbb-team|
|#20820||Add font support for Shift-JIS||tbb-team|
|#20842||Proposal: Improve Tor Browser font whitelist / bundled fonts|
|#21385||Ensure fonts are always loaded in the same order||tbb-team|
Change History (8)
comment:2 Changed 15 months ago by bugzilla
- Keywords tbb-fingerprinting-fonts added; tbb-font-fingerprinting removed