Firefox 52 Adds a Tor-Like Font Whitelist to Prevent Fingerprinting through OS Fonts
Researchers from Mozilla scheduled a release for a stable build of Firefox 52âthis buildâs significance came from a Tor-esque privacy implementation. In the user-submitted bug report, Bug 1121643 from 2015, a user posted that a systemâs fonts exposed information about that user. Then, Tor developers, as another user commented, issued a patch to âBug #13313: Pref ‘font.system.whitelist.’â Torâs patch to the font fingerprinting initially landed in a remote tracking branch of an early versionâ5.0-1-build3âof tor-browser-38.1.0esr-5.0-1. And the âbug fix,â if you will, has stayed with Tor since and will become a part of Firefox as of March 7, 2017.
Browser fingerprinting, just like any form of de-anonymization, is not a new type of internet tracking. In many recent cases, the issue relied heavily on human error. Granted, the de-anonymization or pseudo-identification of a browserâs user works both ways. Firefox often pulled privacy techniques from Tor developers and builds and in turn Tor relied on Mozillaâs Firefox Extended Support Release builds to compose the Tor Browser Bundle.
A primary relationship, security-wise, began to grow between both organizations after the FBI refused to disclose their Tor exploitâone that also affected Firefox users. Firefox developers started working on the âTor Uplift projectâ that ultimately aimed to reduce fingerprinting in Firefox builds. The fixes first implemented were often basic ones. For instance: if a website requested the variable âscreen.orientation.angleâ from a Firefox user, Firefox started returning the virtually worthless value of â0.â
âThe mouse wheel event in Tor Browser (and most browsers) leaks information of the underlying hardware used to scroll the web page. The event provides information about the delta scrolled, however, if you are using an ordinary computer mouse with a mouse wheel, the delta is always three, but if you are using a trackpad, the deltas are variable and related to your trackpad and your usage patterns.â (jcarlosnorte.com)
Mozillaâs font whitelist patch, in the proposed version and theory, implements a list of OK fonts or technically âwhitelistâ fonts. A request for a machineâs font family would then, and againâin theoryâprevent the website from identifying the operating system beyond a predefined level. While this patch originated from a similar one and current functionality in Tor, the implementation differs slightly. And possibly to a fault. The end of the bug report that ultimately initiated the development of a font whitelist ended with âThe scope of this feature is very narrow. Is there a second bug that builds on this one? If not, should I make one [â¦]?â