Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #9451
Closed (moved) (moved)
Open
Created Aug 11, 2013 by cypherpunks@cypherpunks

de-anonymisation by readable @font-face CSS attribute - TBB settings update

I've checked the TorBrowserBundle with JavaScript turned off via the testing tool on ip-check.info.

Turning JavaScript off seems to result in @font-face CSS attribute being readable. That might harm users' anonymity. What do you think?

Here's what the JonDonym developers tell us about it:

"The number and type of fonts installed on your system may, under certain circumstances, strongly contribute to your de-anonymization. Caution: Your fonts might even be read without JavaScript! This is possible, as a website may force loading web fonts if the respective font is not installed on your local computer. If the site forbids font caching, the fonts will be reloaded on any access.

If you ONLY see STRANGE, UNREADABLE SYMBOLS in this rating, your installed fonts are indirectly readable by this website.

In this case, the page may try to load hundreds of different font names using the "@font-face" attribute. If the respective font is installed on your system, the website notices that it is not loaded from the server. Hint: If it can read them, the fonts on your system enable a website to unambiguously recognize you in many cases.

Recommended: Prevent that your browser reloads fonts using the @font-face CSS attribute."

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking