The way they talk about it makes it sound like they invented the written word, but that notwithstanding the fonts actually look really nice in my opinion.
The way they talk about it makes it sound like they invented the written word, but that notwithstanding the fonts actually look really nice in my opinion.
I like Hack as my font of choice, but I will probably give this a shot. It’s a font, there is no risk of data collection, Microsoft style bugs, or other Microsoft-associated product issues.
TeamViewer checks for a font their app installs when visiting their website to fingerprint you.
https://www.ctrl.blog/entry/teamviewer-font-privacy.html
FFS
Thanks
In my web browser I personally use uBlock Origin to just block all remote fonts and browse with a JS disabled by default policy. It’s an annoying but necessary compromise, in my opinion.
Also, in Firefox v118 a new feature was introduced to curtail the font fingerprint route as well: “The visibility of fonts to websites has been restricted to system fonts and language pack fonts to mitigate font fingerprinting in Private Browsing windows.”
I’m sure you know this, but for anyone else scrolling through the comments it is actually ridiculous how much data websites can query and receive to fingerprint users from the web browser. Just look at https://amiunique.org – “WHY IS THIS ALLOWED?” is the question I have asked for many years now.
Because people want to have features in their web browsers and originally no one really designed the web with security in mind.
Some of it is incredibly difficult to imagine how to do in a private way, too.
For example, my browser can display AVIF images. If my browser announces in the Accept “hey, I’m able to display AVIF images. Please send me AVIF images if you have them rather than JPEG”, that helps to identify me, since most browser don’t display AVIF, which sucks. But I really want to get AVIF images: they’re efficient. So how do I announce that I want AVIF images without announcing that I want AVIF images?
Some of the other web features were well-intentioned but have just ended up being useless. Like your browser also announces what language you prefer. Like “hey if you a German version of this text, please send it to me in German, thanks”. But for some reason EVERY WEBSITE IGNORES THIS and just says “oh you speak Spanish and English but you’re travelling in Russian right now? HOPE YOU LIKE READING RUSSIAN FUCKER”. So it’s 100% only used for invading privacy now.
Some of the tracking mechanisms never should have been allowed in the first place (like timezone and which fonts I have installed), but some of them (like Accept) I can’t think of how to do in a secure way.
That is insane the amount of info given. I had no idea. Thanks for the website
Fuck me sideways.
Also, I’d remove battery charge metric from the fingerprint. Since it changes over time, I wouldn’t really consider it a good or even usable metric.
Could be used in combination with other metrics to identify a specific user’s movements through a site over time, if the other metrics aren’t unique enough.
Possibly, but when you have time as a realiable metric already, you dont need another metric that ticks down at an unknown and inconsistent speed, and goes up once in a while. Hell, I keep my laptop plugged 99% of the time.
I used Dejavu Sans for like 10 years, and Hack is the perfect incremental improvement. I’ve tried to use other fonts but I keep coming back to Hack.
https://security.stackexchange.com/questions/91347/how-can-a-font-be-used-for-privilege-escalation
Not a serious rebuttal. But yes, MS has found a way for Windows to be vulnerable to attacks using fonts.
What the…
I meant to link the CVE sorry. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3402