Font fingerprinting is one of the easiest ways to track visitors to a website. This can be done with JavaScript, and because you can not give up on JavaScript, you can easily be identified on the Internet through your fonts. This web tracking method appears to be very difficult to combat by simple users.
Simple definition of font:
In both traditional typesetting and modern usage, the word font refers to the delivery mechanism of the typeface design. In traditional typesetting, the font would be made from metal or wood. Today, the font is a digital file. (Wikipedia – Font)
The font is a file used by programs on your device when they want to display a text with a certain shape for the characters. For example, in Windows, the font files are located in the C:WindowsFonts folder.
Your device has a list of fonts that can be used. Standard fonts are those fonts that came with your operating system. But most of the software you installed on your device brings with them other fonts during software installation. The chances of you having the same programs installed on your device as another individual are very small (it’s just like the lottery), so you will have a list of fonts installed that is almost certainly unique.
Because any website you visit can see almost all your list of fonts, this site can recognize you the next time you access it.
How to create a fingerprint from your font list
By a simple method with JavaScript, the website can find a large part of your fonts list.
Initially, the script contains a huge list of the most common font names from various devices (about 500 fonts are enough for this device fingerprint method).
Then the script creates a div in CSS (invisible to you in your browser) and takes each font from the list above and each of it has three variants, “monospace”, “sans-serif”, “serif”. It tries to write with it a pre-established text of a certain magnitude in this div. The script then verifies whether the font is available in that div and, if it is, marks it in the list of available fonts. Finally, the script will return the list of fonts detected on your device. If the script contains a longer list of font names then fingerprinting for your device will be more accurate.
Do not even think that you will notice if you have been identified. Everything happens very quickly, a list of over 1000 fonts will be checked in fraction of a second.
Can you protect yourself from fonts fingerprinting?
If you have a clean operating system, without many installed programs or with very common programs, your list of detected fonts will be found on other users’ computers, and fingerprinting is almost impossible.
So a way to combat this tracking method is to install a Windows 7 virtual machine in vmware or virtualbox, install only your favorite browser (it’s good to be Firefox + canvas fingerprinting protection) and just navigate with this.
Another option is to use add-ons in your browser. There are Firefox / chrome plugins on the Internet that can deliver a list of fake fonts to the visited web page. I did not test these plugins, so I can not tell you if they do what they say.
The real protection against fingerprinting fonts is that you have already downloaded many of the most used fonts in a folder and temporarily install some of them on your device, then uninstall temporarily installed fonts after you have finished browsing the Internet. The visited site will see another font list every time and you will have another identity.
I tried to automate this process in Windows, so it’s very easy to have different fonts every time.
What do you need for fonts fingerprinting defense?
1. A list the most common fonts (here)
From the fingerprintjs2 script found on the https://github.com/Valve/fingerprintjs2 site, we have the list of the most commonly used fonts.
2. Two folders created on your computer. Create 2 folders: C:\fonts and C:\tempfonts. You’ll need them.
3. A font library. You must try to find and download as many fonts from the list above, but they must be .ttf files. There are a lot of download sites for fonts, so I do not insist on this. When you find one of the fonts, you must download all of its variants. Try to have at least 300 downloaded .ttf files. Put all the font files (not zip archives, but .ttf files) in the C:\fonts folder you just created.
4. Download the fontiu.exe application (virus total result is here). It’s a program (thanks to www.dumb.ro) that can temporarily install/uninstall all the fonts from the folder where it was put. Its advantage is that it can run in command prompt and it can be easily integrated into other vbscript or autoit scripts or other custom applications. Because I did not find a software to do that, I had to call a friend to create it. Put the fontiu.exe file on your desktop (or where you want it).
5. Download the .vbs scripts below to install/uninstall fonts and put them on your desktop (or in the folder where you put the fontiu.exe file).
Script 1: fonts_install.vbs. This script sets a random number of fonts to be installed (between 15 and 35), randomly chooses the number of fonts from the C:\fonts folder and copies them to C:\tempfonts where it will also copy the fontie.exe executable and then temporary install fonts with the command “fontiu.exe -i”
Script 2: fonts_uninstall.vbs. This script uninstalls the fonts from the C:\tempfonts folder and then deletes all the files in this folder.
That’s all you need to do in order to fight against fonts fingerprinting.
When you want to have another font-based fingerprint, close all Firefox windows, run the fonts_install.vbs script, browse the Internet, and then run fonts_uninstall.vbs and have the original fonts in your device.
It’s a good idea to check the number of fonts before and after using this method. Simply check the list of available fonts on https://www.iptest.club/ at the bottom of the page where you will see the total number of detected fonts and the list of their names.
This isn’t probably the best way to fight against fingerprinting fonts, but I was happy using it. However, it will not protect you against other Internet tracking methods, and it’s a good idea to block the canvas and change your IP address, then check your security on https://www.iptest.club/. If the results shown on this page are satisfactory to you, I think you can safely navigate the Internet.
Thanks for the article. Greate info, but there is a question I have: if fontiu.exe places .ttf fonts to “C:\tempfonts\”, how these fonts can be seen by service like panopticlick.eff.org? System fonf folder is “C:\Windows\Fonts” and when I try to cange the path from “C:\tempfonts\” to “C:\Windows\Fonts”m error pop up appears:
Line: 45
Symbol: 2
Error:Access denied
Code: 800A0046
It looks like there is someting with permission to access to system folder, but I have no idea what am I to do with it…
Thank you for your comment.
The executable “fontiu.exe” temporarily installs the fonts found in the folder where this executable is located. You can do this manually (right click on the .ttf file and install), but I preferred something automatically. That’s why we created the two vbscript files.
You do not have to copy the fonts manually into the “c:\windows\fonts” folder. That would mean permanent font installation.
“fontiu.exe” temporarily installs the fonts. When you restart your computer these fonts will no longer appear installed.
I wrote in the tutorial above: you copy the .ttf fonts into the “c:\fonts” folder, create the “c:\tempfonts” folder and download fontiu.exe and the two scripts. Upon installation, first script will copy some of the fonts and the executable “fontiu.exe” into “c:\tempfonts” and install the temporary fonts in windows system. That’s why the fonts will be seen by https://panopticlick.eff.org/ or other services (eg https://www.iptest.club). The second script will uninstall the fonts found in c:\tempfonts and then delete the contents of this folder. Fonts will no longer be seen as installed.
i am from Italy hello. Can you help me translate? /rardor
Puoi usare google translate. Non parlo italiano. Ho usato tutti i servizi di traduzione di Google per questo.
Font Fingerprinting – Come proteggersi
I dont have a C: drive. I have a /dev/sda and /dev/nvme0n1
Any advice for folks like me?
I am sorry. The method described in this article applies to the Windows operating system. I understand that you have linux or a system derived from unix. This tutorial works only in Windows.