Re: [css3-webfonts] Downloaded fonts should not... from Brad Kemper on 2008-04-16 (www-style@w3.org from April 2008)

From: Brad Kemper <brkemper@comcast.net>
Date: Wed, 16 Apr 2008 08:18:37 -0700
To: Patrick Garies <pgaries@fastmail.us>
Cc: www-style@w3.org
Message-Id: <4B6312D0-BA11-42AE-A530-35F1ACEDBBF3@comcast.net>
On Apr 16, 2008, at 1:07 AM, Patrick Garies wrote:

> Brad Kemper wrote:
>> Maybe there is also a way to encrypt some of the fonts other vitals
>> (font metrics and file info) into a small header file for
>> verification, using a certificate. Then the encrypted header could be
>> compared to the vitals of the font already downloaded to see if it
>> is the same, or if it is a different font. That would tell you if the
>> fonts were exactly the same and would not need to be re-downloaded.
>> If the font vitals did not match what the header claimed, then the
>> font file should not be used as a stand-in for pages that claim to
>> have the same font at a different location.
>
> If header information is plainly accessible, it could easily be  
> copied into a malicious version of the font file; if the information  
> is derived from the font itself, that would entail downloading it.

Well, of course a font will be downloaded if it is ever to be used.  
You have to think about the order of things.

1. Site A has a font that you've never come across before,  
"font_a.ttf". At this point, it's name doesn't match anything on your  
computer, so the UA downloads it.
2. The UA compares the header information to actual font/file  
information of the already downloaded font and sees that it matches.
3. Site B has a font of the same name. Your UA downloads the header  
information. It appears to be the same font, so it doesn't bother  
downloading it again. If Site B is lying in their header, its not  
going to do them any good, because their font is not being downloaded  
at that point.

or

1. Site A has a font that you've never come across before,  
"font_a.ttf". At this point, it's name doesn't match anything on your  
computer, so the UA downloads it.
2. The UA compares the header information to actual font/file  
information of the already downloaded font and sees that it DOES NOT  
match.
3. Site B has a font of the same name. Your UA no longer cares about  
whether the name matches site A's "font_a.ttf", because that one had  
incorrect header information. So it downloads site B's font and uses  
it wherever site B tells it to on site B.

Actually, the encryption part would not even be needed.

> Brad Kemper wrote:
>> Thank you so much for delineating my options. That's not what I was
>> looking for though. I thought we were discussing the technical issues
>> surrounding the permanence and "sharability" of fonts.
>
> My point was that you’re using UA UI issues and user ignorance/ 
> paranoia regarding that UI as an argument to design a specification  
> around and I think that that is a poor idea. The only real issue  
> here is that you’re afraid of scaring off users by referencing a  
> non‐HTTPS URI and, thus, invoking a security dialog and I disagree  
> that that’s enough cause to accept the risks imposed by allowed  
> “sharability”.

You are entitled to your opinion, however wrong it is.  ;)

Actually what I am suggesting is an enhancement that addresses two of  
the areas of greatest concern to people, as revealed in survey after  
survey: speed and security.

Security: Security concerns is always the most common reason people  
give for not using e-commerce and/or online banking. I work for a  
large credit union, and we just are not going to do something that  
causes security alerts to pop up whenever they sign into home banking.  
Maybe for your site it is no big deal, but for us, and many, many like  
us, that just isn't an option if we can avoid it.

Speed: Also, I would very much like to use @font-face, but if the page  
fails to render for a couple minutes while a font downloads over a  
dial-up connection... well, that's just not an option either (which is  
why I was curious as to if WebKit does any kind of progressive  
rendering). Our call center would immediately be filled with calls  
from irate members, and my boss would want to know what I was smoking.

However, if a downloaded font could attain permanence in the UA  
without being able to mess up other sites in ways they didn't expect,  
then that would be a huge improvement. How is that not worthy of  
consideration? In that case, a considerable amount of bandwidth would  
be saved throughout the net, a potential speed hit would not have to  
take place more than once per font per person's UA, and authors  
concerned about speed could pick fonts based on their popularity on  
other sites (to avoid the likelihood of forcing a new download) rather  
than just picking from the handful that are common to most OS's.

That seems like a pretty significant gain. You say you don't want to  
accept the risks, but you are unwilling to even explore ideas for  
removing those risks? I think it is worthy of further discussion and  
investigation.
Received on Wednesday, 16 April 2008 15:19:26 UTC