[tor-bugs] #18169 [Tor Browser]: Tor Browser 5.5 misses whitelisted zh-CN UI font

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jan 31 01:08:39 UTC 2016 

#18169: Tor Browser 5.5 misses whitelisted zh-CN UI font
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
     Type:  defect                               |  arthuredelstein
 Priority:  Very High                            |         Status:
Component:  Tor Browser                          |  needs_review
 Severity:  Critical                             |      Milestone:
 Keywords:  tbb-fingerprinting-fonts tbb-        |        Version:
  usability, TorBrowserTeam201601R               |     Resolution:
Parent ID:  #18097                               |  Actual Points:
  Sponsor:                                       |         Points:
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:8 yawning]:
 > Replying to [comment:7 jason]:
 > > Microsoft YaHei is 微软雅黑. In the same way, Microsoft YaHei UI
 should be 微软雅黑 UI, but I can't find the Chinese name in my system.The
 differences between the two is that (at least) numberic characters and
 punctuation marks are rendered in different styles.It won't break whole TB
 UI like yawning mentioned.
 >
 > The breaking the whole UI thing is because Firefox queries the OS for
 what the default font is used to render the UI.  If the *exact* font is
 not available, Firefox doesn't do the right thing, and the UI is rendered
 using god knows what, breaking everything.
 >
 > Firefox does not know that "YaHei" is "YaHei UI", with minor changes,
 all Firefox knows is the OS says to use "YaHei UI", and "YaHei UI" isn't
 available.
 >
 > > Some users say fonts in new version are ugly. If that's a reasonable
 request, I suggest 微软雅黑 Light and Microsoft YaHei UI Light should be
 whitelisted.
 >
 > Expanding the whitelist more than necessary increases fingerprinting
 risk.  YaHei and JhengHei are Vista+ and thus are not available on all
 platforms.
 >
 > As a side note, all this messing around with the whitelist still feels
 like a poor solution to something that is ideally addressed by decoupling
 the font fingerprint defenses from the UI rendering.

 Agreed. I think the most feasible way to do this decoupling will be when
 electrolysis is activated, so that we can (hopefully) apply a whitelist
 only to content. Unfortunately I don't see an easy way to do this before
 then.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18169#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list