svgeesus
commented
1 day ago Thanks for starting the PING review!
One key difference between the current IFT specification and the previous two approaches is that the patches are pre-computed by the application that generates the IFT font.
This means they are the same for everyone (with a corresponding increase in cache usage and a decrease in privacy leaking) and do not need a smart server; these are just static files.
This is in contrast to the old Patch/Subset approach, where patches were computed dynamically on demand by the server. A malicious server could have been set up to infer what content was being ready by a user, based on the sequence of patch requests. That was the reason for the minimum patch size requirement, to obfuscate that potential tracking vector.
The current spec does mention the impact of too-small patch sizes, in Reducing the Number of Network Requests but here, the concern is network performance degradation.
This issue is being filed as a part of the requested PING horizontal review
I wasn't able to find any guidance in the spec about which fonts should have which minimum patch sizes. This seems like a regression from the spec when it was previously reviewed, when the spec mentioned which code points required a minimum level of obfuscation (though minimum patch size), and what that that minimum patch size was.
Have I missed this in the current spec, and the current version of the spec does require equivalent protections, just phrased or encoded differently? Are the previously included protections no longer needed bc of other, new protections? Or is this a regression (and if so, intended or unintended)?