this post was submitted on 11 Nov 2025
55 points (100.0% liked)

Privacy

2919 readers
83 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
55
Mozilla Firefox gets new anti-fingerprinting defenses (www.bleepingcomputer.com)
submitted 1 week ago by cm0002@futurology.today to c/privacy@programming.dev
16 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] chasteinsect@programming.dev 21 points 1 week ago (2 children)

I remember thinking how strange it is that websites can know all of your installed fonts when I was playing around with https://coveryourtracks.eff.org/ and https://www.amiunique.org/

I'm on linux and I have some extra fonts installed. Just the combination of them alone is so unique to me that you don't need anything else.

[–] ggtdbz@lemmy.dbzer0.com 14 points 1 week ago

The second big one for me is how shocking I find it that timezone spoofing isn’t standard, now that so many people use VPNs. Why would someone connecting from Sweden have their clock set to GMT? Etc

[–] lambalicious@lemmy.sdf.org 7 points 1 week ago (1 children)

One known problem is that on Firefox for Linux, every font you install via the package manager becomes a System Font, and thus is immediately "visible" as soon as Use Document Fonts is enabled, irrespective of the setting for CSS font visibility. I've even asked about here if it is possible to run multiple fontservers on a single session, as that would help palliate the fingerprinting by running Firefox profiles connected to different font lists.

As a relatively useful alternative, you can have Firefox profiles on different users, each having their own fontset available at .local/share/fonts, but for that to work you also have to remove all those extra fonts you installed via the package manager.

[–] chasteinsect@programming.dev 1 points 1 week ago (1 children)

Oh interesting I wasn't aware of how all of these things work. So even on the strictest CSS font visibility setting system fonts are not hidden (provided Document Fonts is enabled)? Local fonts I assume are hidden?

[–] lambalicious@lemmy.sdf.org 3 points 1 week ago

From comments in the bug report I got the feeling they should have, but aren't; proably because of intrinsic issues with what it means to be a "system" component.

I have no means to test in Firefox Linux if local fonts are hidden because I don't know what makes a font "local" either. Any font placed where the fontserver looks for them (be it system paths or .local/share/fonts) seems to count as "system", which is why I specifically suggest using .local/share/fonts with different users: it's the only path where you can offer variability. More importantly, CSS font visibility settings seem to mostly be intended for Javascript-based fingerprinting, and they do not work at all against CSS-based fingerprinting.

I am pending to raise an issue ticket to make it so that "Use Document Fonts" becomes a Site Preference instead of a Global Preference; that should go a very long way to enhance privacy in these cases. Once I do, I'll link it here.