1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-10 00:12:09 +00:00

More info about fingerprinting via fonts

This commit is contained in:
rohan kumar 2020-11-24 04:54:13 -08:00
parent f1a56e9ec4
commit 8f47970379
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479
2 changed files with 18 additions and 4 deletions

View file

@ -42,7 +42,11 @@ It's not a good idea to expect users to automatically override website styleshee
### But wouldn't that allow a website to fingerprint with fonts? ### But wouldn't that allow a website to fingerprint with fonts?
I don't know much about fingerprinting, except that you can't do font enumeration without JavaScript. Since text-based websites that follow these best-practices don't send requests after the page loads and have no scripts, fingerprinting via font enumeration is a non-issue. I don't know much about fingerprinting, except that you can't do font enumeration without JavaScript. Since text-based websites that follow these best-practices don't send requests after the page loads and have no scripts, fingerprinting via font enumeration is a non-issue on those sites.
Other websites can still fingerprint via font enumeration using JavaScript. They don't need to stop at seeing what sans-serif maps to; they can see all the available fonts on a user's system, the user's canvas fingerprint, window dimensions, etc. Some of these can be mitigated with Firefox's "privacy.resistFingerprinting" setting, but that setting also understandably overrides user font preferences.
Ultimately, surveillance self-defense on the web is an arms race full of trade-offs. If you want both privacy and customizability, the web is not the place to look; try Gemini or Gopher instead.
## About lazy loading ## About lazy loading

View file

@ -78,15 +78,25 @@ asserting a personal preference.
It's not a good idea to expect users to automatically override website stylesheets. It's not a good idea to expect users to automatically override website stylesheets.
Doing so would break websites that use fonts such as Font Awesome to display vector Doing so would break websites that use fonts such as Font Awesome to display vector
icons. We shouldn't expect these users to constantly battle with websites the same way icons. We shouldn't expect these users to constantly battle with websites the same
that many adblocking/script-blocking users (myself included) already do. way that many adblocking/script-blocking users (myself included) already do.
### But wouldn't that allow a website to fingerprint with fonts? ### But wouldn't that allow a website to fingerprint with fonts?
I don't know much about fingerprinting, except that you can't do font enumeration I don't know much about fingerprinting, except that you can't do font enumeration
without JavaScript. Since text-based websites that follow these best-practices don't without JavaScript. Since text-based websites that follow these best-practices don't
send requests after the page loads and have no scripts, fingerprinting via font send requests after the page loads and have no scripts, fingerprinting via font
enumeration is a non-issue. enumeration is a non-issue on those sites.
Other websites can still fingerprint via font enumeration using JavaScript. They
don't need to stop at seeing what sans-serif maps to; they can see all the available
fonts on a user's system, the user's canvas fingerprint, window dimensions, etc. Some
of these can be mitigated with Firefox's `privacy.resistFingerprinting` setting, but
that setting also understandably overrides user font preferences.
Ultimately, surveillance self-defense on the web is an arms race full of trade-offs.
If you want both privacy and customizability, the web is not the place to look; try
Gemini or Gopher instead.
About lazy loading About lazy loading
------------------ ------------------