[tor-bugs] #16312 [Applications/Tor Browser]: Limit font queries per URL bar domain
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 9 15:30:02 UTC 2020
#16312: Limit font queries per URL bar domain
--------------------------------------+---------------------------------
Reporter: arthuredelstein | Owner: arthuredelstein
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting-fonts | Actual Points:
Parent ID: #18097 | Points:
Reviewer: | Sponsor:
--------------------------------------+---------------------------------
Comment (by Thorin):
In a paper (I'll dig up the reference if required), it was shown that the
most fonts used (legitimately?) by sites (using an Alexa top sites
listing) was around `30`, with one site using close to `50`. Most were
`10` or under. Without the reference to hand, I do not know for sure that
they were only counting installed fonts. But where would you draw the line
vs breakage. I assume the analysis excluded FPing scripts that have a font
component (e.g fingerprintjs2 starts at 60+ fonts). **It would be
interesting if OpenWPM could return anything meaningful on installed font
queries per site**
I also wonder how easy this would be to bypass - I can think of a number
of ways: i.e I am thinking about what happens on subsequent domain pages
in the same session, or sub-domains, etc - do I get another free hit?
Additionally, by using `targeted font lists`, I can still get all the
entropy possible that I know of (e.g. within TB Window users I only need
five or six fonts: and you can't hide that you are the Tor Browser on
Windows, and I will always come in under your limit).
Limiting the installed fonts used per whatever (domain, sub-domain,
eTLD+1?) and per session might make it harder for current FPing scripts,
but will ultimately not hold up. The only real solution, IMO, is for all
users to have the same identical bundled fonts (different per OS if need
be) as this also mitigates other font FPing techniques.
However, given that bundling all fonts for all users ~~might be~~ **is** a
pipe-dream, this would probably be the next best measure, certainly
upstream for Firefox RFP users .. assuming it's even feasible (ID~~K~~
think ~~if~~ it is)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16312#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list