Fonts fingerprinting – is a set of identification methods based on what fonts you have and how they are drawn inside your browser. Generally, there are two methods on how websites may use fonts in browser fingerprinting:
- Fonts list enumeration
- Font metric-based fingerprinting
You can check how these methods are applied in the wild on Borwserleaks.com here and here.
Fonts list enumeration
The most popular way to gather the list of fonts installed on your machine is through CSS introspection. In short, this method can derive the list of your fonts by measuring the width of a phrase produced by your browser in a specific font. If the width matches, it means that you have that font installed. If it doesn’t, it can be determined that the font is missing,
By cycling through the list of possible fonts and widths, websites can get an accurate picture of which fonts are installed on one’s machine.
Incogniton utilizes a special algorithm that combats such methods and allows you to control which fonts the websites can enumerate.
When you create and save a profile, Incogniton will automatically generate a random list of fonts, which will be displayed on the end websites.
You also have the option to edit the list one by one by clicking on the ‘Edit’ button. However, this can only be done after the profile is created.
Did you know that websites can also use Flash or Java Applet plugins to obtain your system fonts list, which is then silently transferred to a server in the background through AJAX?
Well, they can! So, be always careful when enabling plugins in your browser profiles. You can find more information about this here.
Font metric-based fingerprinting (Unicode glyphs and DOMRect)
Font metric-based fingerprinting techniques are based on measuring the borders and dimensions of HTML elements, which are can be filled with text from a specific font family. These measurements are then converted into hash string identifiers that can be used for more precise fingerprinting. These techniques can be categorized into 2 sub-groups:
Unicode glyphs, which is the measurement of a single character in a specific fonts family
DomRect (also known as getClientRects), which is the measurements of an HTML element, where the text is rendered in specific fonts family
Incogniton utilizes a range of different methods to combat font metric-based fingerprinting, when “Unicode glyphs and DOMRect fingerprinting protection” is enabled. The end result is that every browser profile will have a unique Unicode glyph and DOMRect hash.