Tor Font Whitelist

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
ChelonianEgghead

Tor Font Whitelist

Unread post by ChelonianEgghead » 2019-03-05, 03:57

So, I've been trying to reduce the information that can be detected as part of my browsing fingerprint, and it seems that one of the nastier tracking techniques used is font fingerprinting. Tor implemented an about:config setting called "font.system.whitelist" to counter this. https://trac.torproject.org/projects/tor/ticket/18097 Any chance that this could be implemented in Pale Moon? The only other post about this feature that I could find was in Russian and didn't make much sense to me in Google Translate.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Tor Font Whitelist

Unread post by Moonchild » 2019-03-05, 09:06

This feature is already present.
The preference for it (font.system.whitelist) is not present by default and will have to be created with New -> String. Please be careful using this preference since it will impact all content page rendering that is using system fonts (including internal pages like about: pages) that are assumed to be present on various operating systems, so make sure your list of whitelisted fonts is complete and includes all default OS fonts, or you will notice an impact on page rendering.

Important note: our list of reported fonts is already restricted and won't show all installed fonts in panopticlick as a result (unless the Flash method is used which bypasses all this; recommended to set Flash to "ask to activate" to prevent this).

An example of a decent list for this whitelist is:

Code: Select all

Arial, Courier, Times New Roman, Trebuchet MS, Segoe UI, MS Sans Serif, MS Serif, Verdana, Wingdings
but YMMV anyway, since a custom list like this might actually make you unique.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

ChelonianEgghead

Re: Tor Font Whitelist

Unread post by ChelonianEgghead » 2019-03-17, 04:27

So what restrictions are in place by default?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Tor Font Whitelist

Unread post by Moonchild » 2019-03-17, 07:37

ChelonianEgghead wrote:So what restrictions are in place by default?
Well, for starters the fact that there is no content-exposed JS API that can enumerate all installed fonts (only chrome code has access to that). Any website wanting to detect installed system fonts will have to probe for specific families itself, which makes fingerprinting on fonts a lot less feasible. If you think I meant that there is a whitelist by default present then I'm afraid I wasn't entirely clear; there is no such default list, since that would directly influence fonts available to websites and the UI.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

ChelonianEgghead

Re: Tor Font Whitelist

Unread post by ChelonianEgghead » 2019-03-18, 04:40

Does setting browser.display.use_document_fonts to 0 make me more identifiable then, because I'm refusing to show my non-default fonts at all, which is abnormal?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Tor Font Whitelist

Unread post by Moonchild » 2019-03-18, 07:45

ChelonianEgghead wrote:Does setting browser.display.use_document_fonts to 0 make me more identifiable then, because I'm refusing to show my non-default fonts at all, which is abnormal?
I'm not sure if that setting even has an impact at all on the fingerprinting question. What it DOES do however is prevent any and all font application, including downloadables. As a result many web layouts will look wrong or may even break.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked