[tor-talk] TBB font size concern for many users

Fri Jan 31 15:32:32 UTC 2014

Maybe someone has further ideas, comments:

 >Re: What effect does using Ctrl + Scroll have on web sites' ability to 
 >detect apparent screen size?
 >Can sites determine the (selected) browser font name & size & thus, 
 >changes from default setting?
 >For fingerprinting?

Using http://browserspy.dk/ - without Flash or Java enabled, they 
apparently can't see any font list or size selected, in
TBB or Fx.
Nor do they indicate an ability (at all) to detect the font styles / 
sizes selected in either browser's options.
Am I correct, that sites can't detect changes from default _TBB settings 
for font NAME, size & "minimum font size_", found under Options > Content?

browserspy.dk DOES reflect a change in *screen width & height* 
("Resolution") *when screen is enlarged (zoomed) using Ctrl + mouse scroll.*
That may / may not be very useful for fingerprinting?

For me, their reported screen width & height is incorrect - both @ 100% 
zoom AND w/ zoom increased.
That could be because the detected DPI is *also incorrect.*  They show: 
"DPI detected via JavaScript = 96x96, when it's actually 110 DPI.

Is it known that sites CAN detect selected TBB *browser* font names & 
sizes?  And perhaps other browser test sites would show that.
If not, it appears that changing font name & size under Options > 
Content to increase small text, provides LESS browser characteristics 
than using Ctrl + mouse scroll to zoom screen size.

On 1/29/2014 10:31 AM, Joe Btfsplk wrote:
> People having excellent sight naturally don't think about reading small
> print books or web pages.
> But a lot of the general population has a problem with this.
>
> Because of possible browser fingerprinting issues & / or anonymity
> leaks, TBB users are discouraged from
> - changing default settings in TBB (like font name or the Default Font
> size / minimum size).
> - using addons / extensions - (here, to enlarge fonts) that might
> compromise anonymity.
>
> Points taken.  Where does that leave users NEEDING larger than default
> / minimum  font size?
> My guess - people w/ these problems just change fonts / sizes by various
> means, unaware of implications, or just no other choice.
>
> For instance, using default font settings - TBB 3.5 - English, Windows -
> apparent font size on
> https://www.torproject.org/docs/faq.html.en#WhatIsTor is approx.
> equivalent to 9 pt (I think).
> Even w/ Windows DPI increased to 110 vs. default 96.  For many, the
> equivalent of 9 pt is pretty small - even for a book.
> Some pages use *very* small or hard to read font, if users keep the
> default TBB setting, "allow pages to use their own fonts...."
>
> For some, the default font STYLE - Times New Roman - (in TBB - English),
> may be less readable than others.
>
> Fonts other than Times New Roman are often recommended for better
> general readability & for sight or other "reading problems."
> Other reading problems exist besides eyesight / small font; I don't have
> them, but they exist.
>
> This general issue is problematic for many non-Tor users & overcoming it
> is a *technical* issue; in TBB, it involves anonymity - even security /
> freedom (get caught using Tor in the wrong place, for instance).
>
> What are the *recommended* options for users w/ these issues, that won't
> increase browser uniqueness or possibly compromise anonymity?
>
> For web sites (or others) looking at font style / sizes in TBB, what
> effect does using the keyboard & mouse to increase font size (e.g., Ctrl
> + scroll)  have on fingerprinting?
> Using THAT or similar method, can they still see the font size is
> different than default?
>
> Just a question - I don't have a perfect answer:  what if default font
> size was increased (some) - or *possibly* other changes - would it put
> hardship on normally sighted users?  Would it cause them equivalent
> problems that small or harder to read font causes users w/ sight or
> reading problems?
>
> If changing default font or size, by ANY known method may still cause
> concern, then developing an extension that plays nice w/ TBB isn't the
> answer.
> Thanks.