Fingerprinting v3: Font Fingerprinting

[tildelowengrimm]

re #11770

default protection:

• Reduce entropy: When shields are up, restrict websites to system (i.e. OS provided) fonts
• Farbling / randomize fingerprint: Also bundle a small number of additional fonts that are i) looked for by fingerprinting scripts and ii) have OSS or similar licenses so that we can bundle them. We will then use the farbling seed to change the font fingerprints detected by common fingerprinting scripts, to extend the farbling protections

max protection: Same as above

[diracdeltas]

this is probably near the top of priority WRT fingerprinting protection according to tests like panopticlick.

i imagine implementation would be something like:

1. Internally get the list of fonts available on the system
2. Intersect (1) with the 10 or so most commonly-supported fonts
3. If intersection is nonzero, report the intersection. Otherwise report the single font which is available that is the most commonly supported

[pes10k]

A similar, maybe simpler, option would be to just hard code a set of supported fonts for each supported platform, and always report those being installed.

This is what Safari does FWIW for FP detection
https://trac.webkit.org/changeset/225641/webkit

If the above sounds acceptable, that could be a pretty quick, Shields up option

[diracdeltas]

@snyderp what if the underlying platform doesn't actually support one of those hardcoded fonts?

should this be tied to fingerprinting protection or on in general? i think @bradleyrichter or someone voiced concern about having limited fonts generally

[pes10k]

@diracdeltas "doesn't actually support one of those hardcoded fonts" would be in the case of someone deleting a default system front from their machine? Possible, but a def edge case. Could be intersection of available fonts and platform default fonts then. I bet having a deleted system font though is pretty dang identifying though.

I'm in favor of tying to shields in general, but no strong pref either way. Either is better than the SQ, and easy to change one way or the other if things get wacky in dev / beta.

Re @bradleyrichter, i think (🤞) that sites will include non-default fonts when they're not available on the system, so there would only be a perf hit for uncommon-but-installed fonts, shouldn't be user-visable

[diracdeltas]

"doesn't actually support one of those hardcoded fonts" would be in the case of someone deleting a default system front from their machine? Possible, but a def edge case.

Don't fonts vary a lot between Linux distributions for instance?

[pes10k]

ah, yea, derp, good point.

what about one of the below?

1. Survey of whatever linux distros are used to download brave, till we get to the 20% long tail or so, and special case those
2. Just assume everyone at least uses msttcorefonts (no idea if this is accurate, good idea, or whats done in non-English locals…)
3. Leave linux as is, and handle on window and mac to handle at least the common cases?

[pes10k]

2 above might not be a horrible idea actually, since i'd guess (?) that sites are not being built assuming odd ball linux fonts are in place (we could crawl + test if this seems shaky)

[ghost]

"doesn't actually support one of those hardcoded fonts" would be in the case of someone deleting a default system front from their machine? Possible, but a def edge case. Could be intersection of available fonts and platform default fonts then. I bet having a deleted system font though is pretty dang identifying though.

I agree. An edge case not worth increasing "fingerprintability" over.

Don't fonts vary a lot between Linux distributions for instance?

Fonts matter because they tell the server what fonts the device supports. How about having the same approach as Safari and translating the fonts on the browser level? If the browser sends an unrecognized serif font, display default serif font (obviously this could be way more precisely mapped in practice).

[diracdeltas]

I would like to address Linux in our first iteration of this since that's where some of our most privacy-conscious users are. (people who actually turn on all fingerprinting protection, etc.)

[pes10k]

okie dokie. Maybe we could default fonts to region then, at least on linux. So that there is no additional fingerprint entropy

[ghost]

default fonts to region

What do you mean?

[affffc]

Any update on this? This is the main reason Firefox is better for privacy than Brave. Well this and container tabs.

[pes10k]

Just to follow up here, this is getting close (screenshot demonstrates font fingerprint randomization)

[babafc]

Hello why is this closed?
Someone who is on Windows/Mac wouldn't need a browser with "fingerprinting protection".
For Mac Safari already does it and Macs are standardized anyway.
For Windows these people are running Windows so the last they should worry about is privacy.

I understand there is no "default" Linux font pool but Firefox is able to prevent font fingerprinting on all desktop platforms.

[pes10k]

I understand there is no "default" Linux font pool but Firefox is able to prevent font fingerprinting on all desktop platforms.

This is closed because we are not aware of a policy we could enable by default on linux that we think would have acceptable breakage-risk, and because the parts we do have a path forward on (linux and MacOS) are implemented and shipped.

We're still considering options on linux, even if we're not sure there is a way forward there. Once we have an idea we think we can enable by default though, we'll create a follow up ticket and continue there

[babafc]

Well ig that makes Brave useless on Linux since fonts are an incredibly high entropy vector, especially with developers installing custom fonts even worse the rendering behaviour.

[pachainti]

Any update on this? This is the main reason Firefox is better for privacy than Brave. Well this and container tabs.

I agree. Brave provides many protections against particular types of fingerprinting, while this simple possibility of attack is still unresolved.

[aocorporation]

Any update on this? This is the main reason Firefox is better for privacy than Brave. Well this and container tabs.

I agree. Brave provides many protections against particular types of fingerprinting, while this simple possibility of attack is still unresolved.

I find that this argument is pretty weak. Brave has a lot that Firefox does not offer still. For clarification, I would like this issue to be prioritized in fixed. But still.

[pes10k]

Addressed here: #11770 (comment)