Font fingerprinting

[publicarray]

I have found out that browser.display.use_document_fonts can be used to disable font fingerprinting. I have used it in my own user.js and have not found a problem with it. I recommend adding it to this project.

// disable front fingerprinting
// test with http://www.browserleaks.com/fonts or https://panopticlick.eff.org
user_pref("browser.display.use_document_fonts", 0);

before:

after:

[Gitoffthelawn]

Does this require that every website download it's own fonts to the client or is there an equivalency matrix like with other technologies?

What are the downsides to doing this?

Also, this assumes Flash is allowed, correct? To my knowledge, there is currently no way to prevent font fingerprinting when Flash is allowed.

[nodiscc]

@Gitoffthelawn it's not related to Flash (check the screenshot above, Flash is listed as not present), Javascript is used to detect fonts - https://www.browserleaks.com/fonts.

[pyllyukko]

@publicarray: Thanks! I think this is a good idea. Also, the Tor Browser has similar feature not to use the system fonts.

[pyllyukko]

As said this is useless

I really don't think it's useless.

[pyllyukko]

So a step forward is useless, if you don't immediately get into the destination? Even the site you linked (thanks for these links BTW.) states "Fingerprinters have to work harder for worse results—that’s good!", which is on the spot. We'll never have everything perfectly secure and private, but it's all about raising the bar.

And even though different add-ons handle some of these things, it's always better to try to do it from within Firefox itself. Besides, there's really no guarantee that all the users use all the add-ons we recommend, so again, it's a step forward.

But yes, definitely not an absolute fix for this issue, but improvement nevertheless.

[publicarray]

@CHEF-KOCH Thanks for all of the research. I agree that it's not a perfect solution but it does prevent javascript enumeration like this test.

uBlock Origin blocks network requests and does not prevent font fingerprinting. It can be used to reduce the number of hostnames you are connecting to. e.g. you can block 3rd party fonts and 1st party
fonts.

[berrythesoftwarecodeprogrammar]

i wish there were an option to disable only detection/use of local fonts so that remote fonts could still be used. that way websites with custom fonts could still be seen properly (and also controlled via addons like ublock). this breaks custom fonts on everything including certain addons. and it probably makes you stick out in a way since most peoples fonts are enumerable. but it might be better than leaking the whole list

[publicarray]

I have used this setting for such a long time that I've probably forgotten how the web looks like with custom fonts...

http://www.w3schools.com/cssref/css_websafe_fonts.asp or http://www.cssfontstack.com/

Sorry I have forgotten that the fonts are indeed not loaded.

[Gitoffthelawn]

@publicarray @nodiscc @CHEF-KOCH

My apologies. In my post, I wrote, "Also, this assumes Flash is allowed, correct? To my knowledge, there is currently no way to prevent font fingerprinting when Flash is allowed."

I meant to write: "Also, this assumes Flash is NOT allowed, correct? To my knowledge, there is currently no way to prevent font fingerprinting when Flash is allowed."

Brain going faster than my fingers! :-)

[Atavic]

Fluxfonts: font fingerprint cloaking.
Obfuscation, explained: https://github.com/da2x/fluxfonts

#189; arkenfox/user.js#34

[Albirew]

This post is mainly meant for people trying to find why they have icons replaced by text in some webpages.

For the CSS downsides of this setting, here are some examples (android download page where tickbox has been replaced by text and TinyTinyRSS page where icons has been also replaced by text. Both use "Material Icons" font)