Closed Bug 1781172 Opened 2 years ago Closed 2 years ago

report real world system font set when enable privacy.resistFingerprinting

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Version:
Firefox 104
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: rainman59118, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

Steps to reproduce:

  1. set privacy.resistFingerprinting to true in about:config
  2. go to https://coveryourtracks.eff.org
  3. check report of "System Fonts" section

Actual results:

Arial, Bitstream Vera Sans Mono, Courier, Courier New, Georgia, LUCIDA GRANDE, Lucida Sans, Lucida Sans Unicode, Segoe UI, Tahoma, Times, Times New Roman, Verdana (via javascript)

as set in gfx/thebes/StandardFonts-<system>.inc

Expected results:

Check the font reported as in standard Windows installation, which coherit with the reported UA string (which IMO should also be changed to the real world value), instead of making both value up by full illusion.

I'm afraid I don't fully understand your report. Are you saying it's reporting the incorrect fonts when it should be reporting from one of the StandardFonts-foo.inc files? Or it shouldn't be using that file? Or it's using the wrong one? Or something else...?

The Bugbug bot thinks this bug should belong to the 'Core::Layout: Text and Fonts' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Layout: Text and Fonts
Product: Firefox → Core

Sorry for not clear, following is the report of the same site for a regular Microsoft Edge on Windows11 of English version

Arial, Arial Black, Arial Narrow, Calibri, Cambria, Cambria Math, Comic Sans MS, Consolas, Courier, Courier New, Georgia, Helvetica, Impact, Lucida Console, Lucida Sans Unicode, Microsoft Sans Serif, MS Gothic, MS PGothic, MS Sans Serif, MS Serif, Palatino Linotype, Segoe Print, Segoe Script, Segoe UI, Segoe UI Light, Segoe UI Semibold, Segoe UI Symbol, Tahoma, Times, Times New Roman, Trebuchet MS, Verdana, Wingdings

which is less unique than firefox with resistfingerprinting enabled.

Hm, so, the reported system font of resistfingerprinting isn't parsing from the file gfx/thebes/StandardFonts-<system>.inc...

Maybe another reason why I'm not clear is that I can't find the list shown when enabled resistfingerprinting, assuming it is list somewhere in the source code, and is spoofing out to sites instead of looking into OS's?

This will require some investigation for me to remember/understand what we're doing here, and if it's intentional.

Blocks: uplift_tor_fingerprinting

Another finding is that, even without resistfingerprinting, aka. privacy.resistFingerprinting=false, the reported System Fonts are the same, instead of the real installed fonts on my system.

The OS (limited to four results) reported is correct in UA navigator properties. It is only restricted to two results (windows/android) in the HTTP header. We can ignore this, as it is by design for Tor Browser.

We do not spoof fonts per OS - it is impossible (at least 20+ methods to measure changes). Instead we limit what is available to web content that the OS actually has (windows/mac/some-linux). There will be some entropy here: e.g. windows 7 vs windows 10/11 - and even within versions e.g. Arial Narrow is an optional windows system font : see Bug 1670199

The kBaseFonts (level 1) are pretty tight, missing support for many scripts with optional language fonts not added until level 2

which is less unique than firefox with resistfingerprinting enabled

Do not rely on sites that give you entropy figures, they are tainted and not real world.

AFAICT this is working as intended. On windows, you only provided a Edge result, and those are indeed expected windows fonts. On your mac FF those are expected mac fonts (see https://support.apple.com/en-us/HT206872 ) and they are all listed in kBaseFonts for mac, except Bitstream Vera Sans Mono, Lucida Sans Unicode, Segoe UI - which I'm 99% sure are false positives (font size collisions)

For a fuller, more robust test, try https://arkenfox.github.io/TZP/tests/fontlists.html

make sure layout.css.font-visibility.resistFingerprinting = 1 (default) for testing RFP

To test any individual font, try https://arkenfox.github.io/TZP/tests/fontdebug.html - e.g. on mac FF, set RFP on, type in Segoe UI and see if the font actually changes, and what collisions/matches it has

(In reply to Simon Mainey from comment #6)

The OS (limited to four results) reported is correct in UA navigator properties. It is only restricted to two results (windows/android) in the HTTP header. We can ignore this, as it is by design for Tor Browser.

We do not spoof fonts per OS - it is impossible (at least 20+ methods to measure changes). Instead we limit what is available to web content that the OS actually has (windows/mac/some-linux). There will be some entropy here: e.g. windows 7 vs windows 10/11 - and even within versions e.g. Arial Narrow is an optional windows system font : see Bug 1670199

The kBaseFonts (level 1) are pretty tight, missing support for many scripts with optional language fonts not added until level 2

which is less unique than firefox with resistfingerprinting enabled

Do not rely on sites that give you entropy figures, they are tainted and not real world.

AFAICT this is working as intended. On windows, you only provided a Edge result, and those are indeed expected windows fonts. On your mac FF those are expected mac fonts (see https://support.apple.com/en-us/HT206872 ) and they are all listed in kBaseFonts for mac, except Bitstream Vera Sans Mono, Lucida Sans Unicode, Segoe UI - which I'm 99% sure are false positives (font size collisions)

For a fuller, more robust test, try https://arkenfox.github.io/TZP/tests/fontlists.html

make sure layout.css.font-visibility.resistFingerprinting = 1 (default) for testing RFP

To test any individual font, try https://arkenfox.github.io/TZP/tests/fontdebug.html - e.g. on mac FF, set RFP on, type in Segoe UI and see if the font actually changes, and what collisions/matches it has

Based on your comment can I close the issue as Invalid/Worksforme?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(simon.mainey)

Well, first I am interested in your mac :)

  • do you actually have Bitstream Vera Sans Mono, Lucida Sans Unicode, Segoe UI in your mac fonts?
  • what do you get in the fontdebug test for each of them
    • with RFP (font vis must be level 1)
    • without RFP

I can always ask Fabrizio to test on his Mac

Otherwise it's a little hard to understand what you think the problem is. We have tested Tor Browser whitelisting and the font vis settings quite extensively (especially windows and mac) and found them to be working as expected (aside from a couple of quirks, such as Franklin Gothic on windows)

I can't really speak for the coveryourtracks font test. 99% sure it's not as accurate as TZP: in my experience in the past I have found it to throw more than a few false positives such as Webdings and Wingdings and Arial MS Unicode to name a few: and these were size collisions: Webdings and Wingdings until recently collided with Tahoma (which is what the system font MS Shell Dlg \32 maps to), and Arial MS Unicode is the same size as Arial.

Anyway, it should be impossible for those three fonts to actually be used in web content with RFP (level 1), and I want to double check they are false positives. If you don't want to do it, or can't, then I have pinged Fabrizio - and then we can probably close

Flags: needinfo?(simon.mainey) → needinfo?(ti8bpxk2y)

Just, for the record, my real useragent is "Mozilla/5.0 (X11; Linux x86_64; rv:105.0a1) Gecko/20100101 Firefox/105.0a1" (was 104.0a1, closely built from the nightly tree in mozilla-central repo)

And the installed fonts:

pacman -Qs font| grep 'local/'
local/adobe-source-han-mono-otc-fonts 1.002-8
local/adobe-source-han-sans-otc-fonts 2.004-1
local/adobe-source-han-serif-otc-fonts 2.001-1
local/noto-fonts 20220607-1
local/noto-fonts-emoji 20211101-1
local/noto-fonts-extra 20220607-1
local/otf-cascadia-code 2111.01-1
local/otf-crimson 0.800-1
local/otf-latinmodern-math 1.959-4
local/ttf-digital-7 1.1-1
local/ttf-hanazono 20170904-4
local/ttf-ia-writer 20181225-1
local/ttf-ibm-plex 6.0.2-1
local/ttf-jf-openhuninn 1.1-1
local/ttf-twcns-fonts 20220615-1
...(other libs and irrevelants)

the test of [full] from https://arkenfox.github.io/TZP/tests/fontlists.html with RFP=false

ALL FOUND FONTS [66] eff2669d

Arial, Arimo, Courier, Courier New, Cousine, DejaVu Sans Mono, Georgia, Liberation Mono, Liberation Sans, Liberation Serif, Noto Color Emoji, Noto Emoji, Noto Mono, Noto Naskh Arabic, Noto Sans, Noto Sans Armenian, Noto Sans Balinese, Noto Sans Bengali, Noto Sans Buginese, Noto Sans Canadian Aboriginal, Noto Sans Cherokee, Noto Sans Devanagari, Noto Sans Ethiopic, Noto Sans Georgian, Noto Sans Gujarati, Noto Sans Gurmukhi, Noto Sans Hebrew, Noto Sans Kannada, Noto Sans Khmer, Noto Sans Lao, Noto Sans Malayalam, Noto Sans Mongolian, Noto Sans Myanmar, Noto Sans Oriya, Noto Sans Sinhala, Noto Sans Tamil, Noto Sans Telugu, Noto Sans Thaana, Noto Sans Thai, Noto Sans Yi, Noto Serif, Noto Serif Armenian, Noto Serif Balinese, Noto Serif Bengali, Noto Serif Devanagari, Noto Serif Ethiopic, Noto Serif Georgian, Noto Serif Gujarati, Noto Serif Gurmukhi, Noto Serif Hebrew, Noto Serif Kannada, Noto Serif Khmer, Noto Serif Lao, Noto Serif Malayalam, Noto Serif Myanmar, Noto Serif Sinhala, Noto Serif Tamil, Noto Serif Telugu, Noto Serif Thai, Noto Serif Tibetan, Source Code Pro, Tinos, Ubuntu, Ubuntu Condensed, Ubuntu Mono, Verdana

with RFP=true

Arial, Arimo, Courier, Courier New, Cousine, DejaVu Sans Mono, Georgia, Liberation Mono, Liberation Sans, Liberation Serif, Noto Color Emoji, Noto Emoji, Noto Mono, Noto Naskh Arabic, Noto Sans, Noto Sans Armenian, Noto Sans Balinese, Noto Sans Bengali, Noto Sans Buginese, Noto Sans Canadian Aboriginal, Noto Sans Cherokee, Noto Sans Devanagari, Noto Sans Ethiopic, Noto Sans Georgian, Noto Sans Gujarati, Noto Sans Gurmukhi, Noto Sans Hebrew, Noto Sans Kannada, Noto Sans Khmer, Noto Sans Lao, Noto Sans Malayalam, Noto Sans Mongolian, Noto Sans Myanmar, Noto Sans Oriya, Noto Sans Sinhala, Noto Sans Tamil, Noto Sans Telugu, Noto Sans Thaana, Noto Sans Thai, Noto Sans Yi, Noto Serif, Noto Serif Armenian, Noto Serif Balinese, Noto Serif Bengali, Noto Serif Devanagari, Noto Serif Ethiopic, Noto Serif Georgian, Noto Serif Gujarati, Noto Serif Gurmukhi, Noto Serif Hebrew, Noto Serif Kannada, Noto Serif Khmer, Noto Serif Lao, Noto Serif Malayalam, Noto Serif Myanmar, Noto Serif Sinhala, Noto Serif Tamil, Noto Serif Telugu, Noto Serif Thai, Noto Serif Tibetan, Source Code Pro, Tinos, Ubuntu, Ubuntu Condensed, Ubuntu Mono, Verdana

Which, at a glance, are identical.

I don't have liberation, ubuntu, MS Core fonts, or the ChromeOS font sets installed as shown above.

Neither of these three fonts is in my mac font book, nor I can install them from there.
Nighlty 105: I tried to get a match for them on https://arkenfox.github.io/TZP/tests/fontdebug.html but it didn't turn green; they also do not show up in the full test at https://arkenfox.github.io/TZP/tests/fontlists.html.

I should also mention that my CYT results look different from rainman. I now notice in https://bugzilla.mozilla.org/show_bug.cgi?id=1781172#c9 the UA reports a Linux system and the commands list pacman, but the original report is about macOS.

Flags: needinfo?(ti8bpxk2y)

Just, for the record, my real useragent is "Mozilla/5.0 (X11; Linux x86_64; rv:105.0a1) Gecko/20100101 Firefox/105.0a1"

OK. I do not understand what your issue is. You indicated in comment 0 you were on a mac with your user agent. RFP does not report linux as mac. And in comment 3 you reported a windows result.

kBaseFonts for linux is gated

If font vis applies to you, then you should only get fonts detected that are in the correct linux list: either kBaseFonts_Ubuntu_20_04 or kBaseFonts_Fedora_32

Your two test results are identical - both 66 fonts. You need to run the FULL test, or maybe just use https://arkenfox.github.io/TZP/tests/fontcheck.html and preselect Linux - run RFP-on, run RFP-off. I haven't done much Linux font testing due to lack of time and VMs, but I highly doubt out of 467 fonts you would have the same for both (unless RFP font vis does not apply due to being gated)

OK. I do not understand what your issue is. You indicated in comment 0 you were on a mac with your user agent. RFP does not report linux as mac. And in comment 3 you reported a windows result.

My apology for making it looks so confusing due to my report of UA...

I'm always on Arch Linux from comment 0.

Comment 3 is copied from MS Edge in my VM.

  1. I'm using profile with general.useragent.override to spoof as on Mac, to bypass some silly sites' check.

  2. I "thought" I've seen a whitelist somewhere in the source code tree that does the "force UA" things for sites of mozilla.

  3. I "thought" when I check the "report my UA" button, it would report me as Linux Nightly.

  4. 2 & 3 makes it seems like I'm reporting Mac issue, which is not. My really BIG sorry here...

  5. The Issue: when enable RFP, my UA is reported as Firefox under Windows 10 (at version nightly, instead of stable, which is explained as expected behaviour. Though, not the same line as of a regular Firefox under Windows 10) even though it is always running under Linux, so, I'm asking, to report the fonts as if the browser is under Windows, to really resist fingerprinting, instead of a list that looks so unique. (Thus I post a result of font list under Edge, which I assume would be identical as the list of a regular firefox under windows 10 gives, since I didn't have FF installed in my VM.)

  6. But then, I discover that, even without RFP, the reported font list is the same.

  7. as of the fontlist.html, I noticed it reports "the firefox linux faces test is not configured yet", and, only after I test it with a Firefox under Windows do I realized that there is a check mark that compares to a preset.

me from comment 6

The OS (limited to four results) reported is correct in UA navigator properties. It is only restricted to two results (windows/android) in the HTTP header. We can ignore this, as it is by design for Tor Browser.

There are some things we cannot hide, including OS (+ language + some others). We can only reduce sets of users into smaller fingerprint buckets. RFP does not care that it causes information paradoxes, because all users will be the same in each minimalist bucket. All Linux users with RFP will still be Linux in JS, but windows in the HTTP header. No entropy is added. This is mainly to make it harder for Tor Browser's passive fingerprinting when JS is disabled.

so, I'm asking, to report the fonts as if the browser is under Windows, to really resist fingerprinting

See the comment above about reporting windows in the HTTP Header as not adding entropy. We are not trying to make ALL users look the same. And in fact we do report Linux in JS - we are not lying about the OS. For fonts we are trying to make each OS (as our ultimate ideal smallest bucket as far as all font metrics go) as similar as possible (we cannot hide the OS). We actually cannot lie about fonts, either you really have a font or you do not (for web content) - and it's not practical (or even licensable?) to ship or bundled another OSes fonts - for no gain.

But then, I discover that, even without RFP, the reported font list is the same

Because RFP's font protection is limited/gated to some Linux distros, not all. It is also not applied to Android. It's a gap that needs addressing but is very difficult given there is not much common ground: unlike say Windows or Mac which all come shipped with the same system fonts defaults and the same optional system language fonts packs (varies a little per OS release, but much more stable)

Feel free to close as INVALID

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.