font.system.whitelist #286
Comments
|
You can see the TORBrowser font whitelist here: |
|
Tested @ https://panopticlick.eff.org/results?#fingerprintTable Doesn't look that good TBH. bits of identifying information | one in x browsers have this value | value [using Tor's font.system.whitelist for Windows] [INCLUDING "EmojiOne Mozilla" - using Tor's font.system.whitelist for Windows] [browser.display.use_document_fonts=0] So not a good idea after all? Maybe the perfect solution would be a WebExtension that can spoof browser.display.use_document_fonts=0 while still rendering with the fonts you have installed. ps: "EmojiOne Mozilla" is not the same as the regular Emoji font, it's pretty ugly TBH 😂 |
|
I see the same, even though both about:config prefs are exactly the same panopticlick for TB says "5.84 | 57.4" while for my normal browser I get what you get above. Strange. |
Sounds like something that would be really difficult to "get right". When I initially set (48db468) Apparently we also need more information regarding this, as Panopticlick demonstrates. |
|
The result with [browser.display.use_document_fonts=0] is bugged IMHO A minimal result, like the one I get here, should have something as: Fonts installed monospace, serif, That's the font families I have set as default in browsers GUI preferences. Test uses: Site credits: |
Ummm, I doubt it. That's a bug in the panopticlick code IMO. I don't even have those on my system and it reports them. The panopticlick entropy is also WAY low (currently 1 in 13.1 browsers) - so it's reporting the same result for tens of thousands (21K+) - that will be tons of windows users with use_document_fonts=0 , so it's consistent, if flawed. Other font tests don't reveal them. I'm not concerned about it. Maybe they sneak thru as glyphs .. except I do NOT have them. I would think that the zilla engineers got it right. |
Indeed, I have been on .use_document_fonts=0 for at least 18 months. You don't notice the diff at all IMO. A very very few sites may render some menus to overlap, but certainly not content |
|
Privacy:
Security:
|
|
I've been posting some stuff related to this issue in the Tor Browser tracker. Thought you guys might be interested in seeing them: https://trac.torproject.org/projects/tor/ticket/20842#comment:11 Do you guys coordinate in that tracker? Do you have a proposal as to how you guys could coordinate with the TBB people to address this font issue in a comprehensive way? |
Emojis come from chat applications. Why should a browser, moreover TTB, include such fonts as Google Noto? By using anything from Google/Alphabet a project like TTB will loose its grip on privacy. I have an hardened setup and the emojis on Github aren't visible to me: that's a minor issue for the usage of Github. Related issue: #120 |
This I don't understand at all. If Google makes a nice font (and Noto is pretty good), is it a privacy violation to use it? The font doesn't phone home, after all. |
|
I don't care about emojis, which are fairly new, not working the browser as much as the fact that a lot of very basic unicode that has been in use for decades on the web isn't rendering. I think fonts-noto-color-emoji supports all this old unicode. This is an official Debian package now for fonts-noto-color-emoji: https://packages.debian.org/buster/fonts-noto-color-emoji and the binary is available https://github.com/googlei18n/noto-emoji/releases It seems as though Debian is just using the binary from the noto-emoji Github Releases page instead of building it from source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848198#64 It'd be preferable, I assume, to build the font from source. Apparently nototools and fonttools are needed to build this font from source. https://github.com/googlei18n/noto-emoji/#building-notocoloremoji It should be noted that fonttools, which is required to build the font from source, has been switched over to the MIT license roughly six months ago, so this font should now be able to be built from source with all free software build tools: fonttools/fonttools@b990a01 Nototools also seems to have a free license https://github.com/googlei18n/nototools/blob/master/LICENSE Because we have the source for this font and we have free software build tools, I assume that the font can easily be audited for security and privacy issues. A lot of Noto fonts are used by the GNU+Linux version of Tor Browser already: https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.8.0esr-7.5-1#n389 |
Thanks!
I guess the short answer is no. I mostly only try to add relevant cross-references to TBB's trac just to have the relevant information available. (Also, see #316.) Personally, I'm mostly happy with |
|
@savyajha I personally prefer local fonts, as the sites that use Google Web Fonts are feeding data back to Google. Every single Google API contribute to an intrusive mass-tracking: Google Analytics, Google Ads and Web Fonts (like Gmail service and the search engine) are bound to the same policy. The more Google products you use/connect to, the more pervasive becomes Google tracking/fingerprinting: I have opted out from most of these products, and suggest anyone to do so, before the Google services become an absolute standard, something that's always needed to browse or search info online. |
|
@Atavic Ah, I misunderstood your statement: I thought you were against a local installation of Noto Sans. I myself follow what you're preaching. The only Google service I can't seem to break away from is YouTube, and Google Scholar at times. |
|
I stumble on Google books sometimes and find difficult to view/link the appropriate page of the book I'm interested on. |
|
I did some testing with this a while ago and here's some results:
I think this is still something that we are not implementing right now, so I'm closing this. |
Should we be using this setting instead of
browser.display.use_document_fonts? This looks bad on some websites, reducing readability.I couldn't find the font list that Tor ships but would the best approach be to define a default set of fonts for each OS? To simulate a clean install since most people don't install fonts.
The text was updated successfully, but these errors were encountered: