Opened 9 years ago

Closed 9 years ago

#2187 closed enhancement (duplicate)

Spoof Font List

Reported by: mt2009 Owned by: mikeperry
Priority: High Milestone:
Component: Applications/Torbutton Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

TorButton user can still be diferentiate using their fonts list. the font list of torbutton user should be uniform. It's also one of Torbutton's design requirements "to make all Tor users look uniform amongst themselves".

I know i can just disable javascript to prevent site read the font list, but if i disable javascript i can't login to google account, The Worst Privacy Ranking of Internet Service Company (http://www.freerepublic.com/focus/news/1864812/posts)

Font Detectors:
http://what-is-my-ip-address.anonymous-proxy-servers.net/
http://www.lalit.org/lab/javascript-css-font-detect

Child Tickets

Change History (3)

comment:1 Changed 9 years ago by rransom

I think even disabling JavaScript won't help. CSS can now instruct Firefox to load and use a font from a specified URL if a font with a specified name is not already installed on the user's system.

comment:2 Changed 9 years ago by mikeperry

Sadly, there are a lot of CSS capabilities that are bad for fingerprinting with more growing every day... We could toggle browser.display.use_document_fonts for this particular fingerprinting issue. I will accept a patch to do this, but I don't think the option should be on by default.

I think the right way to do this is to figure out how to wrap the font engine so we can provide a reduced list, but since it is not an XPCOM component, this seems non-trivial from an XPI.

Alternatively, this may be something that we need to fix in the Tor Browser Bundles, by specially building firefox to only search font paths that we provide.

comment:3 Changed 9 years ago by mikeperry

Resolution: duplicate
Status: newclosed

Dup of #2872.

Note: See TracTickets for help on using tickets.