Changes between Version 1 and Version 6 of Ticket #18097


Ignore:
Timestamp:
Jan 29, 2016, 8:38:52 PM (3 years ago)
Author:
arthuredelstein
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #18097

    • Property Keywords tbb-fingerprinting-fonts added; tbb-font-fingerprinting removed
    • Property Cc mcs dcf added
  • Ticket #18097 – Description

    v1 v6  
    33Here's an overview of our approach:
    44
    5 In #13313, we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux.
     5In #13313, we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux. (For the Linux Tor Browser bundle, we do not use the "font.system.whitelist" pref. Instead we bundle all fonts and use a `fonts.conf` file to restrict the browser to use only the bundled fonts.)
    66
    77This whitelisting mechanism protects against font enumeration attacks, such as http://www.lalit.org/lab/javascript-css-font-detect/. Our whitelisting patch applies to CSS `font-family` and `src:local` (#17759) queries and also the Canvas `font` property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.