[tor-bugs] #18169 [Tor Browser]: Tor Browser 5.5 misses whitelisted zh-CN UI font
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jan 31 01:08:39 UTC 2016
#18169: Tor Browser 5.5 misses whitelisted zh-CN UI font
-------------------------------------------------+-------------------------
Reporter: gk | Owner:
Type: defect | arthuredelstein
Priority: Very High | Status:
Component: Tor Browser | needs_review
Severity: Critical | Milestone:
Keywords: tbb-fingerprinting-fonts tbb- | Version:
usability, TorBrowserTeam201601R | Resolution:
Parent ID: #18097 | Actual Points:
Sponsor: | Points:
-------------------------------------------------+-------------------------
Comment (by arthuredelstein):
Replying to [comment:8 yawning]:
> Replying to [comment:7 jason]:
> > Microsoft YaHei is 微软雅黑. In the same way, Microsoft YaHei UI
should be 微软雅黑 UI, but I can't find the Chinese name in my system.The
differences between the two is that (at least) numberic characters and
punctuation marks are rendered in different styles.It won't break whole TB
UI like yawning mentioned.
>
> The breaking the whole UI thing is because Firefox queries the OS for
what the default font is used to render the UI. If the *exact* font is
not available, Firefox doesn't do the right thing, and the UI is rendered
using god knows what, breaking everything.
>
> Firefox does not know that "YaHei" is "YaHei UI", with minor changes,
all Firefox knows is the OS says to use "YaHei UI", and "YaHei UI" isn't
available.
>
> > Some users say fonts in new version are ugly. If that's a reasonable
request, I suggest 微软雅黑 Light and Microsoft YaHei UI Light should be
whitelisted.
>
> Expanding the whitelist more than necessary increases fingerprinting
risk. YaHei and JhengHei are Vista+ and thus are not available on all
platforms.
>
> As a side note, all this messing around with the whitelist still feels
like a poor solution to something that is ideally addressed by decoupling
the font fingerprint defenses from the UI rendering.
Agreed. I think the most feasible way to do this decoupling will be when
electrolysis is activated, so that we can (hopefully) apply a whitelist
only to content. Unfortunately I don't see an easy way to do this before
then.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18169#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list