FontEnigma
Comments
-
if you type the alphabet in one direction, the obfusction in the opposite direction will become clear when you copy the result into a text editor. Evib~dvoo~hklggvw}
Here is the link to a test layout. Green cursor is the upper (operable) element – here you see only cursor. Blue text is the lower element with displayed font – the text is copied here with JavaScript.
https://jsfiddle.net/4p8zgfhx/
Explanation.
Place two text elements above each other (absolutely positioned inside the container), with the same font size and line height (to synchronise the caret position). Lower text element is the rendered font with obfuscation, that user will see. Upper text element is the transparent font without obfuscation (and with empty glyphs), that user operate. Top element should have transparent text but visible caret. Both fonts should have the same horizontal metrics (for displayed letter) to synchronise the caret. Then use JS to copy text from user-operable upper element to lower element.0 -
Simon Cozens said:Exactly. What does "protecting against the casual attacker" mean when the attack method of the casual attacker is to simply download the font from a web site where it's been provided by the sophisticated attacker?Well, one may not be able to protect against the sophisticated attacker cracking any technical means of copy protection one might be attempting to use with one's font.But one can certainly make use of things like DMCA takedown requests when one's cracked font is appearing on somebody's web site. That would be protection against the casual attacker.Another example of protecting against the casual attacker would be to insist that people using the font for a web site use some copy protection mechanism. However, my understanding is that these days the most commonly used browsers don't support copy protection for web fonts any longer; and back when they did, each browser supported a different scheme. Absent a means of copy protection, one just looks at the page source, then the CSS file source if necessary, and downloads the font, which is within the abilities of a casual attacker.0
-
John Savard said:However, my understanding is that these days the most commonly used browsers don't support copy protection for web fonts any longer; and back when they did, each browser supported a different scheme. Absent a means of copy protection, one just looks at the page source, then the CSS file source if necessary, and downloads the font, which is within the abilities of a casual attacker.
So all these discussed techniques can only give an initial effect on the font market / type tester website, until the font is purchased.But one can certainly make use of things like DMCA takedown requests when one's cracked font is appearing on somebody's web site. That would be protection against the casual attacker.Usually, by that time the font has already been downloaded many times, most of which occur in the first few days.
Another idea that requires some technical resources (startup for some enthusiasts) is to have a database of malicious addresses (where fonts are usually leaked) and automatically scan it regularly for certain font names. It sounds crazy, but who knows what the future holds. In a better world where governments were concerned about this, some anti-crime agency would be handling all of this. In a better world.0 -
Hi Michael, although I find it hard to imagine a scenario where users need to copy readable text from the type tester, maybe hiding the obfuscation at first sight would be useful, and implementing it should not be too difficult. The current version of FontEnigma (which uses a somewhat more complex obfuscation than the initial release) already translates pasted text on the fly. The reverse should also be possible by intercepting the copy event and replacing the selection with decoded text before it is written to the clipboard. I will give this a try in the near future.0
-
The latest version of FontEnigma now decodes text copied or cut from the type tester. So instead of getting obfuscated strings like ‘U§ir€’ when copying something like ‘E=mc²’, you now get the actual readable text as displayed.It might not be a game-changer, but it definitely makes things a bit neater and more user-friendly.0
-
It might not be a game-changer, but it definitely makes things a bit neater and more user-friendly.And a lot easier to reverse engineer :-)
0 -
Yes, perhaps a little. However, basically this information was already available, as the submenu shows.0
-
In the latest version of FontEnigma, I have added a couple of things to help make it harder to grab the fonts or inspect the page easily.First, the browser’s context menu is disabled on desktop (both right-click and keyboard). On mobile it is still allowed, otherwise users would not be able to copy and paste text. The oncontextmenu event is also locked on the <body>, in case someone tries to override it.
More importantly, the woff2 font files are now XOR-encrypted, and then decrypted on the fly in the browser using JavaScript. Once decoded, the fonts are loaded using FontFace and referenced via a temporary ‘blob:’ URL, which disappears as soon as the page is refreshed or closed.
I must admit, however, that all of this together only adds up to a small additional hurdle that a serious attacker can undoubtedly get around.1 -
In addition, the ‘blob;’ URL now expires immediately.0
Categories
- All Categories
- 46 Introductions
- 3.9K Typeface Design
- 485 Type Design Critiques
- 560 Type Design Software
- 1.1K Type Design Technique & Theory
- 653 Type Business
- 848 Font Technology
- 29 Punchcutting
- 519 Typography
- 119 Type Education
- 323 Type History
- 77 Type Resources
- 111 Lettering and Calligraphy
- 32 Lettering Critiques
- 79 Lettering Technique & Theory
- 548 Announcements
- 90 Events
- 114 Job Postings
- 170 Type Releases
- 173 Miscellaneous News
- 276 About TypeDrawers
- 54 TypeDrawers Announcements
- 120 Suggestions and Bug Reports