[tor-talk] noscript on youtube
cube at browserprint.info
cube at browserprint.info
Sun Jul 31 03:07:22 UTC 2016
> When trying to login to Youtube from TBB, NoScript blocks a bunch of
> stuff seemingly related to fonts (see screenshot at
> https://postimg.org/image/c0sfrf2kh/41fa1875/ ), and i cannot proceed
> (the Sign In button doesnt work. Otherwise Youtube works fine with
> HTML5 videos.
> The website's font ought not matter when trying to login. Is there a
> TBB exploit related to fonts and javascript that would deanonymize
> users? Why else would Google require a browser to get code from
> fonts.gstatic.com?
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> %
>
>
The CSS @font-face rule that is being blocked by NoScript can be used to fingerprint you, specifically can be used to detect what fonts you have installed.
How this works is that you define a set of fonts and tell the client ``if you need to use these fonts but don't have them you can download them from me''. The client then requests the fonts it doesn't have. From this the server knows what fonts the client doesn't have and by process of elimination what fonts it does have.
This can be done with zero JavaScript and only CSS.
You can see this test in action on http://browserprint.info/
More information about the tor-talk
mailing list