/Tracking/Fingerprinting/active/canvas_font/

• $ fingerprint@info:~ echo $CANVAS-FONT

• Name:

  Canvas Font Fingerprinting
  

  Original feature purpose:

  The Canvas API provides a means for drawing graphics via JavaScript and the HTML <canvas> element. Among other things, it can be used for animation, game graphics, data visualization, photo manipulation, and real-time video processing. For more details see e.g. MDN web docs

  
  

  FP-Explanation:

  Many different fonts exists to enrich the web typography. Web browsers only support a portion of the available fonts - but each browser, version or system supports a different portion. A font support test with an extensive font collection is known as "Font Detection" and can be made with JavaScript, CSS or Flash.
  But Font Detection can also be made with Canvas:
  The TextMetrics interface can be used to evaluate if a specified font is available on the client's browser, because this object contains the width of a measured text.
  First, the Canvas API method measureText is called on an oversized (80px) fake font (a font that does not exist for sure) with the full ASCII-Set, which is the string of which the Canvas element will measure the width, to trigger the default fallback-font on error (font not available).
  The width is calculated with an accuracy of 12 decimal places (but with font size 80px only 1 decimal place would still be fine). This width of the oversized fake font is saved and utilized as baseline for later comparisons. Now TextMetrics of more than 1400 distinct fonts are calculated and each compared with the baseline. If the baseline width (fake font) and the test font width are equal, then the font is not supported. Otherwise the client supports this font. The Canvas font fingerprint is a hash of all detected fonts supported by the client's browser, which varies across browser, browser versions and systems.
  
  The Canvas font fingerprint resembles the Canvas fingerprint, but is more stealthy: It does not actually extract canvas generated data (no use of the methods toDataURL, toBlob or getImageData). This means, Canvas blockers, which block or spoof these methods, will fail to block Canvas font fingerprinting. Canvas font fingerprinting can only be stopped, if the Canvas API is blocked completely or the measureText method is altered.
  
  As a side-effect, installed software on the target system can be detected: This is done by checking fonts, which are only installed by specific software. For example, OpenOffice installs the font OpenSymbol.
  Depending on the software, it is even possible to differentiate the version. For instance, TeamViewer releases a new font with each major update.
  (... TeamViewer11, TeamViewer12, TeamViewer13, ... )

  
  

  FP-Type:

  active
  

  FP-Categories:

  js, html5, hardware-dependent, software-dependent, unchanged-consistent
  

  Counter-measures:

  Canvas elements can only be blocked on browser-level - either by an browser-specific Canvas-Blocker Addon or by browser vendor features.

  • From Firefox 58: Canvas data extraction needs user permission or is automatically spoofed
    Explanation: A website cannot use Canvas elements for fingerprinting any more
    Explanation: (blocked or spoofed Canvas API)
    Info: Only if the setting 'privacy.resitFingerprinting' is set to 'true'
    Problem: The latest Anti-Canvas-Fingerprinting (FF Version 64) does NOT stop Canvas Font Fingerprinting
    
  
  
  • Installing/Uninstalling software/fonts
    Explanation: This will lead to a different set of detected fonts, hence another fingerprint
    Info: There are multiple consistent tracking techniques
    Problem: Consistent tracking techniques can sync and update/restore each other
  
  

  Publications/References:

  • Canvas Fingerprinting: fonts (Tor Bug Tracker)
  • S Englehardt, Online Tracking: A 1-million-site Measurement and Analysis (2016)
  • AudioContext Fingerprinting Test Page
  • Sites with canvas-font fingerprinting scripts (Princeton Web Census)
  
  
• $ fingerprint@info:~ run canvas-font-demo

Demo:

>> Jump to Canvas Font Fingerprinting Demo <<