Fonts are installed on your operating system to help make on-screen texts more legible. There is a default set of fonts on every computer, but you can install new ones at any time.
When you install a new application on your machine it may install new fonts as well, so texts will be displayed nicely.
On Windows-based machines fonts are stored as .ttf, and .otf files.
When the browser is displaying a website, it also can use different fonts, therefore different websites can have different designs. If a website is created with a specific font that is not installed on your computer, your browser may use the default font that is installed on the computer to show the specific text.
How can websites utilize font fingerprinting?
As different users can have different sets of fonts installed on their computers, it can be used as a discriminatory indication. If 2 visitors have the same fonts installed on their devices, they may be visiting from the same computer, and it can be a red flag for your online accounts.
Let’s see how a website can obtain the list of installed fonts.
Before 2020 browsers could use Flash (multimedia platform) to get information about the installed system fonts. Modern browsers are not supporting Flash anymore, so websites have discovered another way for font fingerprinting.
This method is using CSS (Cascading Style Sheets) and JavaScript technologies to determine the installed fonts on a machine.
A basic test forces your browser to draw a specific text with the default font installed on the machine (most often Arial) and with another ~150 different fonts. The website can check how much space does each text takes by measuring the string's width. When a text cannot be written with the font defined by the website, because it is not installed on your machine, it will be displayed with the default font. So, each text that takes the same space as the text that was originally printed with the default font, is most likely not installed on the computer.
Modern operating systems are shipped with plenty of preinstalled fonts, therefore a test that checks “only” 150 fonts may not show any difference between 2 computers with 2 actually different sets of fonts as the explicit whole list of installed fonts cannot be obtained by modern browsers.
An example: User 1 has fonts A and B. User 2 has fonts A and C. Then they visit a website, which checks for fonts A and D. In this case, both users will have the same hash code despite they have different fonts installed on their computer.
Should I worry about same font fingerprint hashed?
To summarize the above mentioned nature of font fingerprinting it is really hard to determine by a website if 2 visits are actually coming from the same computer or not if those computers has the same OS. However font fingerprinting can be used to determine the OS of the visiting browser. If you want to use some fingerprint browser, you need to make sure that your font fingerprint is aligned with the OS that sites can read with other fingerprinting technologies.
Kameleo can take care of font fingerprinting
When someone is trying to spoof his browser fingerprint without a professional tool, he may screw up the consistency of his browser fingerprint. For example, if you want to have a natural-looking Chinese browser profile, then websites should see Chinese fonts installed on your OS. Free privacy tools are not so sophisticated.
Kameleo makes this possible and you won’t have to fear font fingerprinting anymore. See how font spoofing works.