[tbb-bugs] #22787 [Applications/Tor Browser]: Fontconfig warning: remove 'blank' configuration

Mon Jul 10 21:14:16 UTC 2017

#22787: Fontconfig warning: remove 'blank' configuration
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Minor                     |     Resolution:
 Keywords:  tbb-fingerprinting        |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by dcf):

 * keywords:   => tbb-fingerprinting

Comment:

 Here is the upstream commit (2015-06-17):
 https://cgit.freedesktop.org/fontconfig/commit/?id=46b2c62faa64250eec3981ee816e91a9a3dee857

 But before that (2015-02-17), they had removed `<blank></blank>` from the
 default fonts.conf and made the blanks be hardcoded in the library:
 https://cgit.freedesktop.org/fontconfig/commit/?id=d6a5cc665a1d7e91332944353e92c83ad114368c
   https://bugs.freedesktop.org/show_bug.cgi?id=79956

 I am sure that when I set up fonts.conf for Tor Browser initially, I
 cargo-culted most of the config from somewhere, including the `<blank>`
 section. I don't really know what it does.

 [https://cgit.freedesktop.org/fontconfig/tree/fonts.dtd?id=d6a5cc665a1d7e91332944353e92c83ad114368c#n59
 According to fonts.dtd], the `<blank>` section is optional, so I would
 guess that we can remove it without causing crashes on old versions of
 fontconfig.

 But we may have to deal with this as a new fingerprinting vector (whether
 we remove the `<blank>` or not). If we are using the system fontconfig,
 and the system fontconfig has a built-in set of blanks that varies across
 systems (it looks like they update it with new Unicode versions), and it's
 possible for a web page to detect the difference, then it could be used
 for fingerprinting.

 The set of built-in blanks isn't even under version control, because they
 have a makefile that fetches [http://unicode.org/cldr/utility/list-
 unicodeset.jsp?a=%5B%3AGC%3DZs%3A%5D%5B%3ADI%3A%5D&ucd=on&esc=on&g=&i= a
 list] from unicode.org at build time :( So it's likely to be whatever
 randomly happened to be there when someone built a release.

 To test, we could repurpose the fontfp code and replace the list of code
 points with the unicode.org list.
   !https://repo.eecs.berkeley.edu/git-anon/users/fifield/fontfp.git

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22787#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online