Opened 4 years ago

Last modified 16 months ago

#18097 new defect

Font fingerprinting defenses roadmap (parent ticket) — at Version 6

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-fonts, tbb-fingerprinting-os
Cc: gk, mcs, dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.

Here's an overview of our approach:

In #13313, we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux. (For the Linux Tor Browser bundle, we do not use the "font.system.whitelist" pref. Instead we bundle all fonts and use a fonts.conf file to restrict the browser to use only the bundled fonts.)

This whitelisting mechanism protects against font enumeration attacks, such as Our whitelisting patch applies to CSS font-family and src:local (#17759) queries and also the Canvas font property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

In #16707 we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In #17220 we added some standard Math fonts to the whitelist. And in #17250 and #17661, we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also #17999.

David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see #16672.

We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see #16312.

Our #13313 patch whitelists fonts by name, so it likely allows a font installed on the system to supersede a font bundled with the browser if they have the same font name. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see #16739.

Child Tickets

#5423closedtbb-teamNo Characters Showing Up On 'Check Page'Applications/Tor Browser
#8770newtbb-teamVerify that @font-face fallback fonts can't be probedApplications/Tor Browser
#9451newtbb-teamde-anonymisation by readable @font-face CSS attribute - TBB settings updateApplications/Tor Browser
#13313closedtbb-teamEnable bundled fonts in Tor BrowserApplications/Tor Browser
#16312needs_informationarthuredelsteinLimit font queries per URL bar domainApplications/Tor Browser
#16672assignedarthuredelsteinText rendering allows font fingerprintingApplications/Tor Browser
#16686newarthuredelsteinMigrate all font fingerprinting patches to tor-browser.gitApplications/Tor Browser
#16707closedtbb-teamPackaged fonts in Tor Browser make websites partly unreadable on OS X and WindowsApplications/Tor Browser
#16724newtbb-teamTor Browser 5.0a4 crashes with fonts.conf fileApplications/Tor Browser
#16739newtbb-teamWhitelist fonts by filename rather than font nameApplications/Tor Browser
#16740newtbb-teamFont defense in 5.0a4 crashes OS X 10.6.8Applications/Tor Browser
#17220closedtbb-teammath symbols not supported by font whitelistApplications/Tor Browser
#17250closedtbb-teamJapanese font(s) look ugly on websitesApplications/Tor Browser
#17661closedtbb-teamMac OS: whitelist the font .Helvetica Neue DeskInterfaceApplications/Tor Browser
#17759closedtbb-teamfont whitelist fails to stop local fonts in @font-faceApplications/Tor Browser
#17785newtbb-teamUnit tests for font whitelisting patchApplications/Tor Browser
#17999newtbb-teamChanged default GUI font might help fingerprinting JA Windows usersApplications/Tor Browser
#18169closedarthuredelsteinTor Browser 5.5 misses whitelisted zh-CN UI fontApplications/Tor Browser
#18172needs_revisiontbb-teamEmoji support is broken in Tor Browser 5.5Applications/Tor Browser
#18205newtbb-teamRestrict font whitelist patch to apply only to non-chrome contexts?Applications/Tor Browser
#18234newtbb-teamFont fingerprinting defenses broken on WindowsApplications/Tor Browser
#18297closedtbb-teamTor browser uses Chinese-style glyphs to display JapaneseApplications/Tor Browser
#20820newtbb-teamAdd font support for Shift-JISApplications/Tor Browser
#20842assignedtbb-teamProposal: Improve Tor Browser font whitelist / bundled fontsApplications/Tor Browser
#21385newtbb-teamEnsure fonts are always loaded in the same orderApplications/Tor Browser
#21973needs_informationtbb-teamFonts settings changed badly in 7.0a3 on Win 7Applications/Tor Browser
#22070newtbb-teamCheck whether we need to update our font whitelist for ESR68Applications/Tor Browser
#22787newtbb-teamFontconfig warning: remove 'blank' configurationApplications/Tor Browser
#22952needs_informationtbb-teamTor Browser Arabic Fonts Issue !Applications/Tor Browser
#26080newtbb-teamtorbrowser 7.5.4 update seems to generate file with unique uuid in itApplications/Tor Browser
#27880newtbb-teamSinhala Unicode error on Windows 10Applications/Tor Browser
#30532newtbb-teamfont FP reveals different Windows releasesApplications/Tor Browser
#30589newtbb-teamTor Browser on Windows does not support Hindi or Tamil.Applications/Tor Browser
#31141closedtbb-teamfont.system.whitelist value typo?Applications/Tor Browser

Change History (6)

comment:1 Changed 4 years ago by arthuredelstein

Description: modified (diff)

comment:2 Changed 4 years ago by bugzilla

Keywords: tbb-fingerprinting-fonts added; tbb-font-fingerprinting removed

comment:3 Changed 4 years ago by mcs

Cc: mcs added

comment:4 Changed 4 years ago by dcf

Cc: dcf added

comment:5 in reply to:  description Changed 4 years ago by gk

Replying to arthuredelstein:

In #13313, we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux.

I stumbled over that one while preparing the changelog for 5.5 and after some digging it occurred to me that we dropped the font.system.whitelist approach for Linux by shipping all the bundles ourselves and use the fonts.conf mechanism. We might want to clarify that point more in the description.

comment:6 Changed 4 years ago by arthuredelstein

Description: modified (diff)
Note: See TracTickets for help on using tickets.