Ognjen Regoje bio photo

Ognjen Regoje
But you can call me Oggy


I make things that run on the web (mostly).
More ABOUT me and my PROJECTS.

me@ognjen.io LinkedIn

Fingerprinting without JS: telling a user's OS using type-faces

#ethics #privacy

I found the Fingerprint.js article about browser fingerprinting without JavaScript very interesting. I don’t have much experience with fingerprinting, and the article explained the entire process well.

I found getting close to telling a user’s operating system using font-family attributes the most interesting.

You declare a new font-face and load an OS-specific built-in type-face. You set a backup URL to be loaded if the font-family is not present.

Therefore, if the backup URL is called, you can eliminate that OS.

Of course, the limitation is that users can install other operating systems’ fonts. But within the context of fingerprinting and when used in concert with other signals, it’s very clever.

Here are all the font-face signals from the demo:

@font-face { font-family: 'Roboto'; src: local('Roboto'), url('/signal/eyJeVGJd537zAYoO/robotoFontAbsence/') format('truetype') }
@font-face { font-family: 'Ubuntu'; src: local('Ubuntu'), url('/signal/eyJeVGJd537zAYoO/ubuntuFontAbsence/') format('truetype') }
@font-face { font-family: 'Calibri'; src: local('Calibri'), url('/signal/eyJeVGJd537zAYoO/calibriFontAbsence/') format('truetype') }
@font-face { font-family: 'MS UI Gothic'; src: local('MS UI Gothic'), url('/signal/eyJeVGJd537zAYoO/msUiGothicFontAbsence/') format('truetype') }
@font-face { font-family: 'Gill Sans'; src: local('Gill Sans'), url('/signal/eyJeVGJd537zAYoO/gillSansFontAbsence/') format('truetype') }
@font-face { font-family: 'Helvetica Neue'; src: local('Helvetica Neue'), url('/signal/eyJeVGJd537zAYoO/helveticaNeueFontAbsence/') format('truetype') }
@font-face { font-family: 'Arimo'; src: local('Arimo'), url('/signal/eyJeVGJd537zAYoO/arimoFontAbsence/') format('truetype') }

Brilliant.