Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 698624 - Requesting a catchall metapackage for fonts to obscure browser fingerprinting
Summary: Requesting a catchall metapackage for fonts to obscure browser fingerprinting
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Default Assignee for New Packages
Depends on:
Reported: 2019-10-27 03:44 UTC by Jason Chan
Modified: 2019-11-23 14:28 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jason Chan 2019-10-27 03:44:44 UTC
At the moment, KDE Plasma's metapackage requires the large media-fonts/noto. Adding to that, some websites or applications require fonts themselves such as media-fonts/awesome.

When browsing websites with javascript enabled, sites are able to scrape what fonts a user has, as well in what order the fonts are in. With the noto package, as well as other fonts that a user would require to install, this makes it very simple to create an identification without the need for resolution, canvas rendering, IP, cookies, or browsing habits. 

The solution I have in mind is to create a metapackage of all fonts, with USE flags to toggle on or off specific fonts/font packages. Then at postinst the package would spoof what fonts are installed on the system, so that there is a sizeable amount of people 'using' the same fonts.

Regarding size of the package, USE flags for SRC_URI should prevent downloading unneeded fonts.

You may be interested in opening the links below in a container.

Browser Uniqueness Test

Font Fingerprint & Metrics

Eckersley, P. How Unique Is Your Web Browser?, EFF
Comment 1 Haelwenn (lanodan) Monnier 2019-11-23 14:28:21 UTC
Browser fingerprinting is a mess but breaking the Operating System is not the way to go, at all.

Javascript is literally a remote code execution feature and there is some actively anti-privacy/pro-tracking features being added in it (Beacon API is the first one that comes to my mind and it's far from being the only one).

Browsers should fix this or web browsers would have to be sandboxed (which is effectively what QubesOS is about for example).