search

da2x / fluxfonts

A unique tool that blurs your device’s unique font fingerprint by continuously installing and uninstalling new fonts that are generated on the fly.
https://www.ctrl.blog/entry/fluxfonts.html
Other
70 stars 3 forks source link

Glyps not spoofed #13

Open Kraxys opened 1 year ago

Kraxys commented 1 year ago

Just realized that this program in last months got several updates :+1:

I installed the last 2.2 version on W10, and tested with a non customised FF Portable 104.

The app seems to work quite well.

Maybe 2 things you could improve:

1) the delay betwen 2 fonts spoofings varies from 2mn to 40 mn.... Could you make the upper limit adjustable (at least for testing purpose... it's really a pain to have to wait sometimes 40 mn when testing).

2) Tests on browserleaks show that the font fingerprint varies, but the unicode glyphs fingerprint remain always the same. Would'nt be a way to spoof it too?

da2x commented 1 year ago

the delay betwen 2 fonts spoofings varies from 2mn to 40 mn.... Could you make the upper limit adjustable (at least for testing purpose... it's really a pain to have to wait sometimes 40 mn when testing).

No. For testing purposes, you can change the interval and compile a test copy. It’s not a feature anyone will ever use, so it would only add cruft. The number of fonts to generate is set here and the wait interval here.

The randomized interval is a compromise for power saving and doesn’t contribute (much) to the fingerprinting protection. It’s impossible to predict when the next fingerprint will be sampled. Ideally, the app should continuously be spewing out new fonts all the time. But that would be pointless 99.99999999% of the time, waste resources, and decrease the lifetime of your device. So, the program picks a wait interval at random and goes to sleep. The average wait time is 11 minutes on mains power and 21 minutes on battery. (Battery detection doesn’t work on Windows, so you’re always assumed to be on A/C.)

Tests on browserleaks show that the font fingerprint varies, but the unicode glyphs fingerprint remain always the same. Would'nt be a way to spoof it too?

The fonts doesn’t contain any glyphs at all, so this is the expected result. They just contain the metadata required to be recognizd as a valid font with a unique randomized name. That tests extracts a few characters from your browser’s default fonts of different styles and fingerprints them. You’d never set a font generated by Fluxfonts to be your default font, so it won’t modify that fingerprint.

The most common fingerprinting method is to iterate the installed fonts by name and fingerprint the resulting list. That’s the only scenario Fluxfonts protects against.