[tor-bugs] #18169 [Tor Browser]: Tor Browser 5.5 misses whitelisted zh-CN UI font

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jan 30 22:59:02 UTC 2016 

#18169: Tor Browser 5.5 misses whitelisted zh-CN UI font
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
     Type:  defect                               |  arthuredelstein
 Priority:  Very High                            |         Status:
Component:  Tor Browser                          |  needs_review
 Severity:  Critical                             |      Milestone:
 Keywords:  tbb-fingerprinting-fonts tbb-        |        Version:
  usability, TorBrowserTeam201601R               |     Resolution:
Parent ID:  #18097                               |  Actual Points:
  Sponsor:                                       |         Points:
-------------------------------------------------+-------------------------

Comment (by yawning):

 Replying to [comment:7 jason]:
 > Microsoft YaHei is 微软雅黑. In the same way, Microsoft YaHei UI should
 be 微软雅黑 UI, but I can't find the Chinese name in my system.The
 differences between the two is that (at least) numberic characters and
 punctuation marks are rendered in different styles.It won't break whole TB
 UI like yawning mentioned.

 The breaking the whole UI thing is because Firefox queries the OS for what
 the default font is used to render the UI.  If the *exact* font is not
 available, Firefox doesn't do the right thing, and the UI is rendered
 using god knows what, breaking everything.

 Firefox does not know that "YaHei" is "YaHei UI", with minor changes, all
 Firefox knows is the OS says to use "YaHei UI", and "YaHei UI" isn't
 available.

 > Some users say fonts in new version are ugly. If that's a reasonable
 request, I suggest 微软雅黑 Light and Microsoft YaHei UI Light should be
 whitelisted.

 Expanding the whitelist more than necessary increases fingerprinting risk.
 YaHei and JhengHei are Vista+ and thus are not available on all platforms.

 As a side note, all this messing around with the whitelist still feels
 like a poor solution to something that is ideally addressed by decoupling
 the font fingerprint defenses from the UI rendering.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18169#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list