Fonts are installed on your operating system to help make on-screen texts more legible. There is a default set of fonts on every computer, but you can install new ones at any time.
When you install a new application on your machine it may install new fonts as well, so texts will be displayed nicely.
On Windows-based machines fonts are stored as .ttf, and .otf files.
When the browser is displaying a website, it also can use different fonts, therefore different websites can have different designs. If a website is created with a specific font that is not installed on your computer, your browser may use the default font that is installed on the computer to show the specific text.
How can websites utilize font fingerprinting?
As different users can have different sets of fonts installed on their computers, it can be used as a discriminatory indication. If 2 visitors have the same fonts installed on their devices, they may be visiting from the same computer, and it can be a red flag for your online accounts.
Let’s see how a website can obtain the list of installed fonts.
Before 2020 browsers could use Flash (multimedia platform) to get information about the installed system fonts. Modern browsers are not supporting Flash anymore, so websites have discovered another way for font fingerprinting.
This method is using CSS (Cascading Style Sheets) and JavaScript technologies to determine the installed fonts on a machine.
A basic test forces your browser to draw a specific text with the default font installed on the machine (most often Arial) and with another ~150 different fonts. The website can check how much space does each text takes. When a text cannot be written with the font defined by the website, because it is not installed on your machine, it will be displayed with the default font. So, each text that takes the same space as the text printed with the default font, is most likely not installed on the computer.
Modern operating systems are shipped with plenty of preinstalled fonts, therefore a test that checks “only” 150 fonts may not show any difference between 2 computers with 2 actually different sets of fonts as the explicit whole list of installed fonts cannot be obtained by modern browsers.
An example: User 1 has fonts A and B. User 2 has fonts A and C. Then they visit a website, which checks for fonts A and D. In this case, both users will have the same hash code despite they have different fonts installed on their computer.
Kameleo can take care of font fingerprinting
When someone is trying to spoof his browser fingerprint without a professional tool, he may screw up the consistency of his browser fingerprint. For example, if you want to have a natural-looking Chinese browser profile, then websites should see Chinese fonts installed on your OS. Free privacy tools are not so sophisticated.
Kameleo makes this possible and you won’t have to fear font fingerprinting anymore.