[Feature] Font spoofing

[solonovamax]

Is your feature request related to a problem? Please describe.
Trackers can use the installed system fonts to track you across websites, if you have a unique set of fonts installed (like if you're using linux and are missing one or two default windows fonts. If you're spoofing a windows useagent, this could be used to deanonymize you.)

Describe the solution you'd like
It'd be pretty cool if you could somehow spoof this, so it's impossible to track you using fonts.
According to coveryourtracks.eff.org, js trackers can do this by creating a <span> tag, and then loading a bunch of fonts and checking if the width changed.
So, a simple solution would be to randomize font widths every time they're drawn by ±0.0003% (or possibly more), like you do a few other flags.

(Actually, looking at those flags it seems like it may actually be already doing that, which causes it to match all the fonts, which makes you less unique. Here's a solution for that.)
An alternative solution would be the following:
allow the user to specify a list of fonts (or just use a short list of the most common ones), and generate a random variation at start up, which is applied to only those fonts in the list.
As for the rest of the fonts, it would apply no variation to them, to make it look like you don't have them.

This would make it seem like you're a default windows user with no extra fonts installed.

Describe alternatives you've considered
Alternatively, you could just not do this. I mean yeah, it might be a pain to implement, and I would understand if you think it's too much work.

Additional context
According to bot EFF.og and amiunique.org, the set of fonts that I have installed is very unique and could be used to deanonymize me:

[wchen342]

This and several other request about fingerprinting resistence (especially the buggy canvas random noise which obviously caused a lot of problems) can generally be included into a larger meta-issue, similar to the Tor Uplift project of Firefox. However it will be a quite big project and I doubt we have enough people here to do such a project.

Simply add a flag to fix the font list may be possible, but then that will be a very specific solution and will only solve a small portion of the whole problem so I am not sure that is actually helpful, considering there are a lot of other ways of fingerprinting.

[solonovamax]

Yeah, well fonts are just one of the issues.

I managed to get all the bits of identifying information down pretty low for all the items except for the fonts. So that's why I opened this specific issue.

[wchen342]

Yes I understand that fonts are the issue for you. What I was saying above is more from the project perspective than about the specific issue.

[csagan5]

especially the buggy canvas random noise which obviously caused a lot of problems

I find it funny that we went from "websites are using the canvas to fingerprint users" to "the patch that prevents them from doing that is buggy".

[wchen342]

But isn't it better to do something that can prevent fingerprinting and break as few things as possible better? I don't think "preventing" means stop people from using things altogether.

[csagan5]

The fault is still on the websites which uses these techniques without telling the user (which is illegal in some countries); the flag does not state on the tin "avoid fingerprinting via canvas, unless the website that wants to fingerprint me will break functionality", but simply makes canvas unusable for fingerprinting. In such sense it works as intended.

isn't it better to do something that can prevent fingerprinting and break as few things as possible better?

Isn't this already the case?

[wchen342]

The fault is still on the websites which uses these techniques without telling the user

That is true, but in this case as a developer making this decision means you are putting the burden on users. Users are the weaker party comparing to both the websites and the developers. Maybe it is possible to argue that you can pressure the users and indirectly pressure the websites to change, but as the weakest parties among all the users will be taking the most damage.

[csagan5]

users will be taking the most damage.

It depends on what you consider most damaging for the user: a broken functionality or being silently fingerprinted. For Bromite project goals, the latter is obviously the most damaging one.

In the case of ungoogled-chromium there is a flag, so if the user turns it on it is the user who has decided.

[wchen342]

Ok, I think that is a fair point. I still think some efforts should be put into improving the current solution but I understand if you think it is not worth the effort.

[Kein]

This is a bit off-topic, but man, I rememebr FireGloves was able to do this to Firefox almost a decade ago.

It really is quite some effort but it would be nice to have in Chromium

[csagan5]

I remember FireGloves was able to do this to Firefox almost a decade ago.

I doubt it. There have never been and there are not currently extensions or browser that defeat fingerprinting 100%; it would be equivalent to say that there are browsers without security problems.

FYI, from https://pet-portal.eu/blog/read/533/?set_language=eng

Although we clarified that FG is a plugin of demonstrational purposes, it had almost 2k users constantly

"demonstrational purposes" is the exact opposite of a working extensions to defeat (font) fingerprinting

[Kein]

It did work and TOR adopted the same approach - succint, very dry set of allowed fonts. FG used to allow you to customize your font collectio which, as we know now, defeats purpose of being non-unique, so TOR enforces generic list among all TOR users. But FG really pioneered a lot of things back then.

This feature will not hide the fact you use Unggogled Chromium but it might help blend in all UC users as long as it is enforced to work the same instead of being customizeable.

[solonovamax]

Honestly, I'd much prefer if there was a setting for it. And the reason for that is this: if for some reason there's an update which adds new fonts/removes fonts from the base windows install, then users should have the ability to change the setting to match that. It shouldn't be something that's super obvious, but it should still be there. Maybe even just a note telling you where a csv file is that you can edit in the experiments description.

[solonovamax]

An alternative solution would be the following:
allow the user to specify a list of fonts (or just use a short list of the most common ones), and generate a random variation at start up, which is applied to only those fonts in the list.
As for the rest of the fonts, it would apply no variation to them, to make it look like you don't have them.

Actually, I just realized this was a horrible idea and wouldn't account for any fonts you have installed on your system that aren't default...
So here's another one:
When you install chromium, it will have a list of fonts and it will go through that list and look for installed versions of that font. Then, it makes sure that anytime you load a font, it'll only load it if it's on that list. Meaning, webpages can't load arbitrary fonts. For the fonts in the list that are installed on the system, it wouldn't do anything. For the fonts that are on the list that aren't installed on the system, it would do the ±0.0003% variation on them to make it look like they're installed on the system.
That way, it looks (to any js snooper) like the fonts that are installed are only the default windows ones.

I doubt it. There have never been and there are not currently extensions or browser that defeat fingerprinting 100%; it would be equivalent to say that there are browsers without security problems.

I have been using trace https://absolutedouble.co.uk/trace/ on Ungoogled Chromium with all protections turned on and disable javascript to maximize protection. I am not familliar with browser tracking but I am wondering what is the missing puzzle here?