[tor-bugs] #9451 [Tor bundles/installation]: @font-face CSS attribute readable
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Aug 11 18:36:40 UTC 2013
#9451: @font-face CSS attribute readable
--------------------------------------+-------------------------------------
Reporter: cypherpunks | Owner: erinn
Type: defect | Status: new
Priority: critical | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
I've checked the TorBrowserBundle with JavaScript turned off via the
testing tool on ip-check.info.
Turning JavaScript off seems to result in @font-face CSS attribute being
readable. That might harm users' anonymity. What do you think?
Here's what the JonDonym developers tell us about it:
"The number and type of fonts installed on your system may, under certain
circumstances, strongly contribute to your de-anonymization. Caution: Your
fonts might even be read without JavaScript! This is possible, as a
website may force loading web fonts if the respective font is not
installed on your local computer. If the site forbids font caching, the
fonts will be reloaded on any access.
If you ONLY see STRANGE, UNREADABLE SYMBOLS in this rating, your installed
fonts are indirectly readable by this website.
In this case, the page may try to load hundreds of different font names
using the "@font-face" attribute. If the respective font is installed on
your system, the website notices that it is not loaded from the server.
Hint: If it can read them, the fonts on your system enable a website to
unambiguously recognize you in many cases.
Recommended: Prevent that your browser reloads fonts using the @font-face
CSS attribute."
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9451>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list