Mozilla announced the introduction of a new privacy protection mechanism to Firefox 52 that prevents websites from fingerprinting through system fonts.
The technique is widely adopted by advertising companies via hidden scripts delivered with ads that take the list of local fonts and along with other data create a unique fingerprint (ID) for each user.
The companies aim in this was to deliver targeted ads and track users across the web.
The experts at Mozilla have implemented a feature to only expose whitelisted system fonts to avoid fontlist fingerprinting. The new feature will be included in the stable branch of Firefox 52, scheduled for release on March 7, 2017.
The user privacy protection mechanism was already implemented by Mozilla in the Tor Browser, it was developed to block websites from identifying visitors based on the fonts installed on their machines.
The font fingerprinting protection is already available in Firefox 52 Beta.
“Defending against font fingerprinting is complex. We have to worry about distinguishing attacks via differing installed font sets, text rendering engine differences, and font variants. There are a variety of tickets involved.” states the Tor Development Team.
“In #13313, we introduced a Tor Browser pref, “font.system.whitelist”, which accepts a list of fonts and excludes all others from the browser.”
How does the feature work?
The feature leverages a whitelist of system fonts for each operating system, the browser will not block queries for system fonts but it will provide the same answer for every user making impossible to discriminate them.
The practice of font fingerprinting relies on website operators deploying Flash or JS scripts that query the user’s browser for a list of locally installed fonts.
The news confirms the intention of Mozilla to protect users’ privacy, in July the development team launched the Tor Uplift project, a significant effort in improving privacy features implemented in FireFox.
“To uplift all of the Tor Browser patches to mainline Firefox. The general approach is to add preferences for anything that breaks the web and set them to default “off” so that the behavior of default Firefox does not change. All bugs are tagged with [tor]. The Tor Browser design document is here.” states the description of the project.
(Security Affairs – Firefox 52, privacy)