- From: pes10k via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Feb 2025 21:31:04 +0000
- To: public-css-archive@w3.org
> For fingerprinting detection, you'd be making users download a large amount of fake fonts. They'd have to be big to effectively race with a delayed loading of a local font. Unfortunately, I do not think this is a significant barrier to practical privacy attacks. Before cache partitioning was the norm, the web was rife with similar cache-probe attacks (to re-identify users across sites w/o using cookies/browser storage). From looking at the fonts installed on my machine, i see fonts as small as 5k (I bet if your goal was to make a minimally-small font, you could get a valid font even smaller). The current version of fingerprint.js probes for [52 fonts](https://github.com/fingerprintjs/fingerprintjs/blob/master/src/sources/fonts.ts#L14), meaning fingerprint.js could continue their existing attack by just inducing a user to download a max of 260k. Unfortunately, I expect many advertisers/sites/fingerprintjs-deployers would happily have a user download 260k to increase the chance of reidentifying a user -- GitHub Notification of comment by pes10k Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/11648#issuecomment-2679695438 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 February 2025 21:31:05 UTC