Opened 6 years ago

Last modified 23 months ago

#9451 new defect

de-anonymisation by readable @font-face CSS attribute - TBB settings update

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-fonts
Cc: g.koppen@…, team@…, arthuredelstein@… Actual Points:
Parent ID: #18097 Points:
Reviewer: Sponsor:

Description

I've checked the TorBrowserBundle with JavaScript turned off via the testing tool on ip-check.info.

Turning JavaScript off seems to result in @font-face CSS attribute being readable. That might harm users' anonymity. What do you think?

Here's what the JonDonym developers tell us about it:

"The number and type of fonts installed on your system may, under certain circumstances, strongly contribute to your de-anonymization. Caution: Your fonts might even be read without JavaScript! This is possible, as a website may force loading web fonts if the respective font is not installed on your local computer. If the site forbids font caching, the fonts will be reloaded on any access.

If you ONLY see STRANGE, UNREADABLE SYMBOLS in this rating, your installed fonts are indirectly readable by this website.

In this case, the page may try to load hundreds of different font names using the "@font-face" attribute. If the respective font is installed on your system, the website notices that it is not loaded from the server. Hint: If it can read them, the fonts on your system enable a website to unambiguously recognize you in many cases.

Recommended: Prevent that your browser reloads fonts using the @font-face CSS attribute."

Child Tickets

Change History (11)

comment:1 Changed 6 years ago by cypherpunks

Summary: @font-face CSS attribute readablede-anonymisation by readable @font-face CSS attribute

comment:2 Changed 6 years ago by gk

Cc: g.koppen@… added

comment:3 Changed 6 years ago by gk

Resolution: not a bug
Status: newclosed

The ip-check description does not fit to the current Tor Browser implementation. See:
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability section 4.6.4
Enumerating "hundreds of different font names" installed on your system is currently not known to be possible if you are running the Tor Browser.

comment:4 Changed 6 years ago by cypherpunks

Cc: team@… added
Keywords: de-anonymization TBB font settings added
Milestone: Tor: unspecified
Priority: criticalnormal
Resolution: not a bug
Status: closedreopened
Summary: de-anonymisation by readable @font-face CSS attributede-anonymisation by readable @font-face CSS attribute - TBB settings update

In the latest build of the Tor Browser Bundle (3.0alpha1 as of November 7th), it's unclear why Firefox is left configured to allow pages to choose their own fonts by default. In addition to undermining anonymity, allowing pages to ascertain font availability could be used to determine a user's likely operating system for browser exploit targeting.

The setting can be found via the TBB Preferences-->Content-->Advanced-->"Allow pages to choose their own fonts.." checkbox.

comment:5 Changed 6 years ago by cypherpunks

Status: reopenednew

Anyone willing to make the simple change to TBB defaults to disallow pages to choose their fonts out of the box? Per previous comment, it's a simple preference change as I understand it.

comment:6 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:7 Changed 5 years ago by erinn

Component: Tor bundles/installationTor Browser
Keywords: needs-triage removed
Owner: changed from erinn to tbb-team

comment:8 Changed 5 years ago by arthuredelstein

Cc: arthuredelstein@… added

comment:9 Changed 5 years ago by nickm

Milestone: Tor: unspecified

comment:10 Changed 5 years ago by gacar

The attack described here won't work because of TBB's font limits (=10). After loading or probing 10 fonts, no local font lookup will be made due @font-face rules.

comment:11 Changed 23 months ago by cypherpunks

Keywords: tbb-fingerprinting-fonts added; de-anonymization TBB font settings removed
Parent ID: #18097
Severity: Normal
Note: See TracTickets for help on using tickets.