[tbb-bugs] #18097 [Tor Browser]: Font fingerprinting defenses roadmap (parent ticket)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 19 06:10:32 UTC 2016
#18097: Font fingerprinting defenses roadmap (parent ticket)
---------------------------------+-------------------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Keywords: tbb-font-fingerprinting
Actual Points: | Parent ID:
Points: | Sponsor:
---------------------------------+-------------------------------------
Defending against font fingerprinting is complex. We have to worry about
distinguishing attacks via installed font enumeration, text rendering
engine differences, and font variants. There are a variety of tickets
involved. This ticket is to track our progress.
Here's an overview of our approach:
In #13313, we introduced a Tor Browser pref, "font.system.whitelist",
which accepts a list of fonts and excludes all others from the browser. We
introduced a separate whitelist for OS X, Windows, and Linux.
This whitelisting mechanism protects against font enumeration attacks,
such as http://www.lalit.org/lab/javascript-css-font-detect/. Our
whitelisting patch applies to CSS `font-family` and `src:local` (#17759)
queries and also the Canvas `font` property. It does not prevent an
attacker from identifying the operating system, nor from distinguishing
two versions of an operating system by detecting different variants of the
same font.
In #16707 we whitelisted a largish set of fonts for Windows and OS X that
are shipped with the operating system by default. In #17220 we added some
standard Math fonts to the whitelist. And in #17250 and #17661, we
expanded the font whitelist to include UI fonts found on some versions of
Windows and OS X. See also #17999.
David Fifield (dcf) wrote a script that fingerprints the user by measuring
the bounding box of glyphs at certain code points. We found that different
flavors of Linux render the same fonts differently and thus produce
different fingerprints. We also expect different versions of Windows and
Mac to also be distinguishable by font metrics. For the Linux case, we
hope to adjust rendering settings and/or bundle rendering libraries to
make the flavors indistinguishable: see #16672.
We might also be able to reduce the effectiveness of fingerprinting
attacks on all platforms by only allowed a limited number of font queries
per URL bar domain: see #16312.
Our #13313 patch whitelists fonts by name, but it likely allows a font
installed on the system to supersede a font bundled with the browser. So
we would consider changing the patch to whitelisting by font filename or
restricting allowed directories for font loading: see #16739.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18097>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list