this post was submitted on 25 Jan 2024
18 points (95.0% liked)

Privacy

31981 readers
286 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

What are the privacy implications of enforcing an obscure font browser-wide (Firefox)? Are the website aware that they're not using some generic/default font?

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 9 months ago* (last edited 9 months ago) (2 children)

Perhaps more importantly, websites can determine which fonts are installed on your system (regardless of which you're enforcing), making fingerprinting much easier.

[–] [email protected] 5 points 9 months ago

RFP probably ensures you give out a predetermined set of fonts as installed.

[–] danhab99 2 points 9 months ago

Literally why is this necessary on a technical level. I'm a web developer, whenever I need my JavaScript to access a resource I have to spell out where to find it. I've never had a need to scan the browser or the system to make shit happen so why should I be able to in the first place.

[–] [email protected] 4 points 9 months ago

First of all, you can assume the server can infer this in a number of ways - there is actually no way to fully block it, but we can try.

The main issue for privacy is that it makes your browser behave in ways that are a bit too specific (i.e. less private by comparison with the rest of the browsers in the known universe).

As for techniques the site can use

  • javascript can test the geometry of something that was rendered to draw conclusions - was this font actually used? test several options and check for variations
  • measure font work between network events i.e. generate a site that makes the browser use unique links for 1) fetches a font 2) renders text and 3) only then another fetch - measure the time between 1) and 3) and draw conclusions. Repeat for test cases and draw conclusions - e.g. is the browser really fast using monospace vs custom huge font? not a great method, but not completely worthless
  • some techniques can actually do some of this without Javascript, provided you can generate some weird CSS/HTML that conditionally triggers a fetch

By the away not downloading the fonts also makes you "less private". Some of this is a stretch but not impossible.

Now for a more practical problem. Lots of sites use custom fonts for icons. Which means some sites will be very hard to use, because they only display buttons with an icon (actually a letter with a custom font).

FWIW these two lines are in my Firefox profile to disable downloads and skip document provided fonts:

user_pref("gfx.downloadable_fonts.enabled", false);
user_pref("browser.display.use_document_fonts", 0);

If someone has better/different settings please share.

Finally the Tor browser folks did good work on privacy protections over FF. Maybe their issue tracker is a good source of inspiration https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18097

[–] [email protected] -1 points 9 months ago

The websites will just think that it's your default font.