Font fingerprinting defenses roadmap (parent ticket)

Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.

Here's an overview of our approach:

In legacy/trac#13313 (moved), we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux. (For the Linux Tor Browser bundle, we do not use the "font.system.whitelist" pref. Instead we bundle all fonts and use a fonts.conf file to restrict the browser to use only the bundled fonts.)

This whitelisting mechanism protects against font enumeration attacks, such as http://www.lalit.org/lab/javascript-css-font-detect/. Our whitelisting patch applies to CSS font-family and src:local (legacy/trac#17759 (moved)) queries and also the Canvas font property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

In legacy/trac#16707 (moved) we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In legacy/trac#17220 (moved) we added some standard Math fonts to the whitelist. And in legacy/trac#17250 (moved) and legacy/trac#17661 (moved), we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also legacy/trac#17999 (moved).

David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see legacy/trac#16672 (moved).

We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see legacy/trac#16312 (moved).

Our legacy/trac#13313 (moved) patch whitelists fonts by name, so it likely allows a font installed on the system to supersede a font bundled with the browser if they have the same font name. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see legacy/trac#16739 (moved).

added component::applications/tor browser in Legacy / Trac owner::tbb-team in Legacy / Trac priority::medium in Legacy / Trac severity::normal in Legacy / Trac status::new in Legacy / Trac tbb-fingerprinting-fonts in Legacy / Trac tbb-fingerprinting-os in Legacy / Trac type::defect in Legacy / Trac labels

Trac:
Description: Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via installed font enumeration, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.

Here's an overview of our approach:

In legacy/trac#13313 (moved), we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux.

This whitelisting mechanism protects against font enumeration attacks, such as http://www.lalit.org/lab/javascript-css-font-detect/. Our whitelisting patch applies to CSS font-family and src:local (legacy/trac#17759 (moved)) queries and also the Canvas font property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

In legacy/trac#16707 (moved) we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In legacy/trac#17220 (moved) we added some standard Math fonts to the whitelist. And in legacy/trac#17250 (moved) and legacy/trac#17661 (moved), we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also legacy/trac#17999 (moved).

David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see legacy/trac#16672 (moved).

We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see legacy/trac#16312 (moved).

Our legacy/trac#13313 (moved) patch whitelists fonts by name, but it likely allows a font installed on the system to supersede a font bundled with the browser. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see legacy/trac#16739 (moved).

to

Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.

Here's an overview of our approach:

In legacy/trac#13313 (moved), we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux.

This whitelisting mechanism protects against font enumeration attacks, such as http://www.lalit.org/lab/javascript-css-font-detect/. Our whitelisting patch applies to CSS font-family and src:local (legacy/trac#17759 (moved)) queries and also the Canvas font property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

In legacy/trac#16707 (moved) we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In legacy/trac#17220 (moved) we added some standard Math fonts to the whitelist. And in legacy/trac#17250 (moved) and legacy/trac#17661 (moved), we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also legacy/trac#17999 (moved).

David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see legacy/trac#16672 (moved).

We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see legacy/trac#16312 (moved).

Our legacy/trac#13313 (moved) patch whitelists fonts by name, so it likely allows a font installed on the system to supersede a font bundled with the browser if they have the same font name. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see legacy/trac#16739 (moved).

Trac:
Keywords: tbb-font-fingerprinting deleted, tbb-fingerprinting-fonts added

Trac:
Cc: gk to gk, mcs

Trac:
Cc: gk, mcs to gk, mcs, dcf

Replying to arthuredelstein:

In legacy/trac#13313 (moved), we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux.

I stumbled over that one while preparing the changelog for 5.5 and after some digging it occurred to me that we dropped the font.system.whitelist approach for Linux by shipping all the bundles ourselves and use the fonts.conf mechanism. We might want to clarify that point more in the description.

Trac:
Description: Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.

Here's an overview of our approach:

In legacy/trac#13313 (moved), we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux.

This whitelisting mechanism protects against font enumeration attacks, such as http://www.lalit.org/lab/javascript-css-font-detect/. Our whitelisting patch applies to CSS font-family and src:local (legacy/trac#17759 (moved)) queries and also the Canvas font property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

In legacy/trac#16707 (moved) we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In legacy/trac#17220 (moved) we added some standard Math fonts to the whitelist. And in legacy/trac#17250 (moved) and legacy/trac#17661 (moved), we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also legacy/trac#17999 (moved).

David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see legacy/trac#16672 (moved).

We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see legacy/trac#16312 (moved).

Our legacy/trac#13313 (moved) patch whitelists fonts by name, so it likely allows a font installed on the system to supersede a font bundled with the browser if they have the same font name. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see legacy/trac#16739 (moved).

to

Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved. This ticket is to track our progress.

Here's an overview of our approach:

In legacy/trac#13313 (moved), we introduced a Tor Browser pref, "font.system.whitelist", which accepts a list of fonts and excludes all others from the browser. We introduced a separate whitelist for OS X, Windows, and Linux. (For the Linux Tor Browser bundle, we do not use the "font.system.whitelist" pref. Instead we bundle all fonts and use a fonts.conf file to restrict the browser to use only the bundled fonts.)

This whitelisting mechanism protects against font enumeration attacks, such as http://www.lalit.org/lab/javascript-css-font-detect/. Our whitelisting patch applies to CSS font-family and src:local (legacy/trac#17759 (moved)) queries and also the Canvas font property. It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

In legacy/trac#16707 (moved) we whitelisted a largish set of fonts for Windows and OS X that are shipped with the operating system by default. In legacy/trac#17220 (moved) we added some standard Math fonts to the whitelist. And in legacy/trac#17250 (moved) and legacy/trac#17661 (moved), we expanded the font whitelist to include UI fonts found on some versions of Windows and OS X. See also legacy/trac#17999 (moved).

David Fifield (dcf) wrote a script that fingerprints the user by measuring the bounding box of glyphs at certain code points. We found that different flavors of Linux render the same fonts differently and thus produce different fingerprints. We also expect different versions of Windows and Mac to also be distinguishable by font metrics. For the Linux case, we hope to adjust rendering settings and/or bundle rendering libraries to make the flavors indistinguishable: see legacy/trac#16672 (moved).

We might also be able to reduce the effectiveness of fingerprinting attacks on all platforms by only allowed a limited number of font queries per URL bar domain: see legacy/trac#16312 (moved).

Our legacy/trac#13313 (moved) patch whitelists fonts by name, so it likely allows a font installed on the system to supersede a font bundled with the browser if they have the same font name. So we would consider changing the patch to whitelisting by font filename or restricting allowed directories for font loading: see legacy/trac#16739 (moved).

I love that Tor Browser is worried about font fingerprinting defenses!

It, however, seems to be breaking parts of the Tor Browser's Trac page for Gnu+Linux TBB users though. legacy/trac#18860 (moved)

From what I can tell, this seems to be due to the fact that the Tor Browser in Gnu+Linux doesn't support Dingbats properly. legacy/trac#18364 (moved)

Does anyone have any idea why this is the case? I'm having trouble figuring out what is going on.

I was told that NotoEmoji-Regular.ttf is currently bundled in Tor Browser legacy/trac#18172 (moved)#comment:29

Based on the pictures, it seems like maybe it should have dingbats covered in the font: https://www.google.com/get/noto/#emoji-zsye

So, I'm curious, why are dingbats not working in TBB on Gnu+Linux? Is it because it doesn't have any fonts whitelisted that include all dingbats? Or is the whitelisted font that allows dingbats to work not working for some reason? Does this have to do with legacy/trac#16739 (moved) at all?

Trac:
Username: vegansalad
Reviewer: N/A to N/A

Replying to vegansalad:

I love that Tor Browser is worried about font fingerprinting defenses!

It, however, seems to be breaking parts of the Tor Browser's Trac page for Gnu+Linux TBB users though. legacy/trac#18860 (moved)

From what I can tell, this seems to be due to the fact that the Tor Browser in Gnu+Linux doesn't support Dingbats properly. legacy/trac#18364 (moved)

Does anyone have any idea why this is the case? I'm having trouble figuring out what is going on.

I was told that NotoEmoji-Regular.ttf is currently bundled in Tor Browser legacy/trac#18172 (moved)#comment:29

Based on the pictures, it seems like maybe it should have dingbats covered in the font: https://www.google.com/get/noto/#emoji-zsye

So, I'm curious, why are dingbats not working in TBB on Gnu+Linux? Is it because it doesn't have any fonts whitelisted that include all dingbats? Or is the whitelisted font that allows dingbats to work not working for some reason? Does this have to do with legacy/trac#16739 (moved) at all?

Hi vegansalad,

Thanks for reporting this problem. Please keep it all comments on it on one ticket, though! :) I think legacy/trac#18364 (moved) is probably the best place for that discussion.

Replying to arthuredelstein:

Very cool work on font fingerprinting defenses. I have a question with regards to the following statement:

It does not prevent an attacker from identifying the operating system, nor from distinguishing two versions of an operating system by detecting different variants of the same font.

Does this mean that the forcing the platform to Win32 the cpu-class to Windows NT 6.1, and the user-agent to have Windows NT 6.1 does not help increase the size of the anonymity set (mentioned in legacy/trac#9501 (closed)), since the fonts allow distinguishing between Windows, MacOS, and Linux in any case?

Trac:
Username: amit

Added the keyword tbb-fingerprinting-os, since os can be inferred from the fonts.

Trac:
Username: amit
Keywords: N/A deleted, tbb-fingerprinting-os added

Is there any coordination happening with these guys? https://github.com/pyllyukko/user.js/issues/286

If not, should we ask them to sign up and start posting stuff over here? Or should we start posting in their github thread?

Trac:
Username: vegansalad

Replying to vegansalad:

Is there any coordination happening with these guys? https://github.com/pyllyukko/user.js/issues/286

Not that I know of.

If not, should we ask them to sign up and start posting stuff over here? Or should we start posting in their github thread?

I am fine leaving their stuff in their github thread. What we right now need is moving legacy/trac#20842 (moved) forward. Alas, it is not high-prio right now as we are all busy with the transition to Firefox 60 ESR. I hope we can pick this up again in a couple of weeks.

mentioned in issue legacy/trac#18297 (moved)

mentioned in issue legacy/trac#18364 (moved)

mentioned in issue legacy/trac#18364 (moved)

mentioned in issue legacy/trac#18860 (moved)

mentioned in issue legacy/trac#20820 (moved)

mentioned in issue legacy/trac#20842 (moved)

mentioned in issue legacy/trac#21973 (moved)

mentioned in issue legacy/trac#22070 (moved)

mentioned in issue legacy/trac#22787 (moved)

mentioned in issue legacy/trac#22952 (moved)

mentioned in issue legacy/trac#23451 (moved)

mentioned in issue legacy/trac#26080 (moved)

mentioned in issue legacy/trac#26146 (moved)

mentioned in issue legacy/trac#27880 (moved)

mentioned in issue legacy/trac#30532 (moved)

mentioned in issue legacy/trac#31141 (moved)

mentioned in issue legacy/trac#31881 (moved)

mentioned in issue legacy/trac#30589 (moved)

mentioned in issue legacy/trac#31917 (moved)

moved from legacy/trac#18097 (moved)

added Bug label and removed 1 deleted label

added Fingerprinting label and removed 1 deleted label

added Fonts label

added Roadmap::Future label

removed Bug label

added Project label

Can someone reopen one or both of these tickets for me? They are related to this parent ticket but they are currently closed and I think the issues presented in them should be considered when trying to deal with this parent ticket.

legacy/trac#18364 (moved) legacy/trac#20842 (moved)

@KurtisHanna

A lot of work was done with fonts for 11.5: see here and scroll down to improved font support - and see this list which at the time of writing is almost everything @pierov and others worked through to make it all happen

• e.g. 18364 Tor Browser in Gnu+Linux doesn't support Dingbats properly
• e.g. merge 474 huge increase in bundled Noto fonts

Edit: your legacy issues you linked to

• legacy/trac#18364 (moved) -> closed resolved in 11.5 #18364 (closed)
• legacy/trac#20842 (moved) = open - #20842 is still open

If you still have an issue with fonts, please open a new issue with relevant information (OS, screenshots, steps to reproduce, etc). Thanks

added Meta label

added All Platforms label

not a meta, and we have Fonts label now

also closing: old-timey well-known info. I think pierov wanted to keep it open, but a 7 year old ticket with nothing new for the last 5 years is pretty much dead wood to me, sorry

summary

• we limit fonts per desktop platform (whitelist/bundling)
  • on linux this is 100% bundled while mac/windows also allow a few system fonts
    • ideally, one day, we hope to limit to bundled on all desktops
  • we also set font-name-list* prefs per language and default fonts
  • meanwhile, system fonts used do have some extra font-families depending on the OS version
    • for windows this is largely cleaned up once we drop win7/8 support in ESR128
    • for mac I would need to check
• this tight font control limits (but does not quite defeat, see above point) enumeration and tofu/char-support/script-support
  • we overhauled bundled fonts last year (2022) and our script support is world class, beats FF in windows for example
• other entropy shown per language is equivalency
  • e.g. default fonts, default font-sizes, default proportional fonts
  • and we can tighten this up in the future by removing some UI settings elements and making the about:config interstitial sticky and a bit more informative/scary

not a font issue

• are used everywhere, so in effect once they are fully controlled/standardized (or limited as much as possible), they are no longer a font issue - the problem lies elsewhere and fonts are now equivalency of that issue
  • e.g.canvas/webgl
    • these are intersections of a dozen or more FP causes: fonts is just one of them
    • we already cover canvas
    • we can also cover webgl readPixels in the future
    • so we can ignore these as having with solutions elsewhere
  • e.g. high precision measurements
    • caused by subpixels and rendering
    • we have tickets open to jitter, randomize, block (e.g. some textmetrics) etc

all of these have issues open, as well as other actual font standardizing issues (variants, aliases, font substitutes, font config issues in linux, etc) - use the label = Fonts to find them all

removed Meta label

closed