[tbb-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jun 4 01:09:32 UTC 2018

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
 Reporter:  erchewin                  |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097                    |         Points:
 Reviewer:                            |        Sponsor:

Comment (by vegansalad):

 Dingbats / Wingdigs / Unicode / Emojis

 Whatever you'd like to call them, many of them are broken in Tor Browser
 and have been for a very long time. I understand that font fingerprinting
 needs to be addressed in a robust way because it protects against font
 enumeration attacks. However, there doesn't seem to be much work being
 done to fix the bugs that this security mitigation technique has

 This seems to affect Linux users of TBB the most, but joel2017 says that
 it is still causing problems for windows users.

 As was stated over two years ago, this issue seems to cause issues **on
 the tor project trac itself**! Right now as I'm on this page, the "reply
 to comment" icon to the right of every comment is blank due to this bug
 (that is, if I'm understanding the bug correctly).

 A proposal has been made to improve the list of TBB font whitelist /
 bundled fonts by soliciting user feedback. I agree that it would be a
 useful project to go through each of the fonts on each platform and see if
 there are better fonts that could be used instead.
 https://trac.torproject.org/projects/tor/ticket/20842 I've posted some
 comments over there as well about how we could potentially move this
 proposal into a reality.

 In the mean time, assuming such a large project would take up a lot of
 time and resources, my quick suggestion to hopefully fix this specific
 ticket is to add fonts-noto-color-emoji to the list of Google Noto fonts
 shipped with the GNU+Linux version of TBB. This is an official Debian
 package now: https://packages.debian.org/buster/fonts-noto-color-emoji and
 the binary is available https://github.com/googlei18n/noto-emoji/releases
 If it would be preferable to get this in stretch-backports as well, please
 let me know and I'll do my best to pursue this.

 Also, it seems as though Debian is just using the binary from the noto-
 emoji Github Releases page instead of building it from source:

 It'd be preferable, I assume, to build the font from source.

 Apparently nototools and fonttools are needed to build this font from
 source. https://github.com/googlei18n/noto-emoji/#building-notocoloremoji

 It should be noted that fonttools, which is required to build the font
 from source, has been switched over to the MIT license roughly six months
 ago, so this font should now be able to be built from source with all free
 software build tools:

 Nototools also seems to have a free license

 Are there any blockers to adding fonts-noto-color-emoji to the list of
 fonts in #ifdef XP_LINUX that I'm not aware of?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18364#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list