Webfont Obfuscation: An interim solution?

paul.irish's picture

While we are waiting for WOFF support broadly, there are some protective measures available for webfonts to prevent them from being installed locally.

There is a technique of obfuscating the name table, rendering it unusable as a system font, but fully functional as a webfont. Ethan Dunham of Font Squirrel and Fontspring has led much of the research below, based on some prior work from Peter Bilak of Typotheque and Philip Taylor with his Font Optimizer [0]

Specifically, these are the modifications for a TrueType font:

  • Delete all name entries except for platformID 3, platEncID 1, LangID 0x0409
  • Set entry 1 (Font Family) to '' (empty string)
  • Set entry 2 (Font Subfamily) to a unicode smiley:☺ [1]
  • Set entry 3 (Unique ID) to '' (empty string)
  • Set entry 4 (Full name) to smiley:☺
  • Entry 5 (Version) may optionally be changed. Ethan recommends inserting some verbage about the font being protected. It shows up in the get info window on Mac
  • Set entry 6 (Postscript name) to smiley:☺
  • Entries 7-14 can remain as is
  • Delete entries 15+

Create two Mac entries: platformID 1, platEncID 0, LangID 0x0

  • Set entry 1 to blank (basically have an entry but no value)
  • Set entry 4 to the Font Name (optional but will show up in Get Info)

When the Font Family name is an empty string, it is uninstallable in Windows. Meanwhile, the OpenType spec indicates that two-byte unicode characters (like the smiley) won't work in a font name on Mac at all. [2] As a result, it's rejected by OS X and not possible to install. Linux isn't able to cope with these modifications either. [3]

These changes are done not only to the TrueType "naked" font, but can also be applied to the underlying TTF embedded in the EOT and WOFF files as well. It's also worth noting that Chrome's font sanitizing library OTS completely avoids the name table. [4]

I believe all non-free fonts should employ these changes as they are distributed for web use, essentially providing them with a similar "garden fence"-level of protection [5] as WOFF. Fontspring is already employing this technique, and you can test it out with the WebOnly option at the Font Squirrel generator [6].

If you guys think this is worthwhile, I'd love to help draft this up into something more official so it's a documented standard that all foundries can use when preparing their work for sale as a webfont.

[0] http://bitbucket.org/philip/font-optimizer/src/tip/obfuscate-font.pl
[1] http://www.fileformat.info/info/unicode/char/263a/index.htm
[2] http://www.adobe.com/devnet/opentype/afdko/topic_feature_file_syntax.html#9.e
[3] http://paulirish.com/i/LinuxWebfont.png
[4] http://code.google.com/p/ots/source/browse/trunk/src/name.cc#23
[5] http://lists.w3.org/Archives/Public/www-font/2010AprJun/0061.html
[6] http://www.fontsquirrel.com/fontface/generator

Edit: Clarified the Windows installability reason. Worth noting: when the full name doesn't match Font Family + subfamily, it is uninstallable in Windows, however they match with this above technique, which is why the EOTs with this modification still work. (thx Ethan)

Tim Ahrens's picture

Arno:
You are against everything and for nothing. How boring.

Arno Enslin's picture

@ Tim

You are against everything and for nothing.

I don’t know, from what you conclude that. I am for a free web – a web with almost no control, for browsers that strictly follow the specifications, for OpenSource, for the CSS Zen Garden. For me the web is not primary a market place. I am interested in a web, that becomes attractive by private sites, investigative journalist, Wikileaks. If the web becomes more attractive, because private sites use commercial fonts without a license, yes, then I am even for font piracy. I am against piracy only in cases, in which pirates earn money in any way (with the pieces of work or with sales of the prey). I am against Steve Jobs, against the government of my country, for honey melons, for Mario Feliciano, for Honduran cigars, for Russian and Polish science fiction, for most blues – from cobalt blue to azure. And for women, that are unshaved in the intimate area (I am damn conservative with regard to that!).

Richard Fink's picture

@arno

>In this case [printing]I would provide different CSS for different media.

I agree. On today's web, print style sheets are a rarity. But for those sites that feature certain kinds of content I believe that will change. And web fonts are a big step towards making that an attractive proposition. I mean, there's just so much Georgia and Times you can stand.
My belief: the mix of HTML/CSS/JavaScript that powers the web will become the primary "desktop publishing" platform as well. Economics will drive it. There is simply no reason to spend the money printing and warehousing a print edition when the print edition can be contained within the "screen edition" and printed as needed by both the publisher OR the reader.

>(Actually) a webfont could not really improve the site because of technical limitations. [http://www.fishmarketing.net]

Untrue - IMHO. They are using background image replacement for headings. It's a pain in the ass compared to using a font. The text is unselectable by the user. And it can create accessibility and search issues. (But I admit, I'm not up on the latest about those two.) Any way you slice it, using images for text is a hack and I'll be glad to see it go.

@ray

>Protecting fonts from being installable in an OS will seem quaint and
>silly in a decade when using fonts for something other than
>the web will be a rarity.

Yup.

Arno Enslin's picture

@ Richard

In case of the website fishmarekting and many of the styles for the CSS Zen Garden a web font could not much improve the impression, that you get from the site. (In case of fishmarketing the letters on the book, the hatchet and the label at the bottom right could not be replaced by a web font.) In all cases, in which letters are really fused with images, web fonts cannot replace image-replacement. Additionally you cannot create the same effects with CSS as with Photoshop. With regard to headlines in a linear design I agree. And if the hinting of body text webfonts is on the same level as the hinting of some of the MS system fonts, other fonts than the system fonts are useful for body text. But in case of the following site the webfont is not an improvement in my opinion: "http://www.engstfeld-weiss.de/". It is just the other way around in case of that site. Except from the font, that does not really look good in body text on screen, the site is ordinary and boring.

With regard to Javascript: I try to avoid it.

Ray Larabie's picture

@ralf
Thanks, I didn't know about the same origin rule in Firefox.

I'm still concerned hotlinking. I'm not concerned about a few fonts being hotlinkable. I'm concerned about what will happen after a decade of font linking with no protection. Unless it's actually illegal to make a browser that forbids hotlinking, browsers and other apps will eventually display hotlinked fonts. No?

Tim Ahrens's picture

Ray, I think hotlinking prevention is one of the smallest problems in this area of webfont protection. It is very easy to achieve this on the server side, and it is already widely practiced for images.

fontsquirrel's picture

Ray, Tim is right. Hotlinking is so 1990's. It is bad for leechers -- who knows when the resource will be cut off? It is bad for the leechees as it sucks up their bandwidth. Leechers are easily caught and with a simple htaccess change you can shut it off. Nobody tolerates hotlinking as it amounts to stealing.

Tim Ahrens's picture

I was already thinking about font hotlinking pranks. Imagine what you could do with ligatures - changing the leecher's words!

Richard Fink's picture

@typodermic
>Thanks, I didn't know about the same origin rule in Firefox.

+1 to what fontsquirrel and Tim Ahrens said on this.
Also, Firefox defends its same-origin restrictions as a matter of security. And it's running code. As long as even one major browser restricts in this way, hot-linking is severely hampered.
If I had to bet, I think CORS will make it into the final W3C Fonts spec. At the least, it will be a "browsers may" kind of wording and FF will stick with its current policy, for sure.

rich

fontsquirrel's picture

I've done a hotlinking prank, long time ago, when someone was basically linking to all the graphics on fonthead.com. I seem to remember changing everything to really hot pink. Not surprisingly, they stopped.

Richard Fink's picture

@arno

All of what you say about the fishmarketing site is true. If oversimplified in spots.
Web design is still largely about Photoshop and making things "pretty". And the site is very pretty. A digital advertising brochure. (At least the home page.)
But I would ask, "Does it make smart use of the web as a medium?" What does the site look like on a mobile browser? What does it look like on an iPad? Whereas ten years ago it was different browsers that drove web designers crazy, now it's different devices and screen sizes.
We could go on and on about this stuff. One good thing is that a lot of CSS3 is about getting rid of the need for slapping what amounts to a comp with bits of html text positioned on top and calling it a web page.
I just got back from a web design conference and one speaker showed a page that used some of the advanced CSS3 features of Safari and it was great, really. The text looked as good as anything you could cook up in Photoshop and it was just plain HTML text and CSS. And Photoshop isn't going to help you with animations. I wasn't aware how advanced Safari had become.

rich

Arno Enslin's picture

@ Richard

Yes, the fishmarketing site is unflexible. It is a business card.

I don’t know the advanced CSS3 features of Safari, because I had uninstalled it a while ago. Safari was storing its whole setup program with each update and without removing the old setups. And I did not like the rendering engine. So I did not use it for surfing, but for testing my webpages only. But it never was necessary to correct anything in my CSS for Safari, because Safari did make use of it correctly; and therefore I limited my checks to Firefox (my favorite browser), IE and Opera.

I agree with you regarding to the theoretical possibilities, that you have with web fonts. But actually I am uncontended with the quality of most web fonts in body text sizes. Having a web font for body text, would be much more important for me, because with an embedded font you can better control line height, length and font size. But why not to embed Georgia, Verdana or Trebuchet MS? Actually not the new web fonts are interesting for me, but the possibility to embed system fonts. Although it is absurd in my opinion, if a private person, that does not sell anything in the web, shall license one of the MS system fonts. I assume, it is not allowed to embed a MS system font without a special license.

The text looked as good as anything you could cook up in Photoshop

But probably only, if the text is not fused with an image.

Richard Fink's picture

@arno
>But actually I am uncontented with the quality of most web fonts in body text sizes.

Me too. But let's face it - there's just so many ways you can render a lowercase "a" at 12px. There are just so many pixels and sub pixels you have to work with. It's like designing icons.
I've been scoffed at (yes, scoffed!) for suggesting that a lot would be accomplished if the MS Cleartype fonts would become ubiquitous either through licensing by Apple or by MSFT magnanimously making them available freely through @font-face.
I'm not holding my breath waiting for either to happen.

However, I'm confident that the dozen or so basic body text fonts that are needed will appear. It's just a matter of time now. Before @font-face, you could make them, but how would you distribute them? That's what's changed.

rich

Rob O. Font's picture

>I've been scoffed at [...] for suggesting that [...] if the MS Cleartype fonts would become ubiquitous[...]

Well, today there are scoff laws in effect so I'll tell you the truth. I have heard the pleas for text faces and responded as you'll soon see. Meanwhile... the CT collection is a fine group of fonts. But, in order for a font to actually work as text on "the web" it MUST be Sized and Hinted just right. Anyone with the CT collection and Verdana on the same computer can prove this for themselves.

Cheers!

aaron_carambula's picture

@Ralf, serverside protection is protection like a condom: not foolproof, but better than nothing. Protection is not defined as absolute, unequivocally guaranteed security. That doesn't exist on earth, and certainly not on a computer.

@Arno, you're right, it is hackable, but does require effort and know-how, can be made more difficult with obscure naming, and it voids hot-linking. What version of FireFox are you using? This works for mine (3.6.3) and in Windows, too.
– update: I actually hadn't added the bit for no-cache, should be even stronger now.

Legitimate accessibility is actually the best way to fight piracy. Great fonts available at an aggressive price point (ref. Steve Jobs) through a dead simple interface makes hacking unappealing/difficult/useless. It's a big web, go for volume, make your money, piracy won't matter as much. The goal should be to make legally licensing fonts for the web easier than hacking a site and cobbling together the bits.

If the only way someone can use a good font online is to use it outside of license, it will be done illegally or another font will be used, and foundries will lose that potential money. I'm glad to see so many good services attempting to take on the challenge, I hope more foundries make their work available, right now it's actually a competitive advantage.

Arno Enslin's picture

The first site (I don’t no many), from which I am impressed with regard to the use of a webfont for body text (although this does not mean, that it is very legible, but only surprisingly legible considering the background color): "http://blog.fefe.de/?css=ascii.css"

Si_Daniels's picture

It all makes sense! @ff sole purpose is to bring the Amiga back to life. :-)

Arno Enslin's picture

As I had prognosticated: Your violations of the specs were no hurdle. Meanwhile there are many fonts floating around the web, that were ripped from Typekit. With corrected name table! And during the correction of the name table some of the fonts were probably damaged in a way, that sullies your reputation, because there are many people, that just want to test fonts, before they license them. And if a font does not work as expected, they don’t know, whether the designer or the foundry is responsible for the bugs. Some of them may decide then, that they are better going to license another font from another foundry.

By the way, in case of webfonts, that are illegally used in the web, it is much easier to to call the owner of the website to account. So, in a few years, when more people use webfonts, you can probably earn more money, if you surf a bit in the web and send those people, that illegally use your webfonts, a dissuasiveness. From this point of view you just could provide your webfonts for test purposes with the AIM, that they are illegally used. In other words: It may be, that you earn more money, if you do the contraction of that, what you actually are doing.

quadibloc's picture

If I point my browser at a web site, and the web page accesses fonts on that web site, my browser won't give me a link to download those fonts, any more than it gives me a link to download the .css style sheet for the web page.

So if @font-face refers to a font I were going to try to steal, I would need to look at the source of the web page to find the URL, and use a browser that wouldn't say "hey, this is a font, I don't handle that file type" to get it.

That's not casual or accidental piracy already, so you are dealing with people to whom it will likely be trivial to pop the font into a font editor and give it a usable name again. Hence, I can't really see this suggestion as providing much in the way of benefits as an interim solution.

The full-bore web font format where the browser reads encrypted web fonts keyed to a particular URL... is probably the only solution secure enough that fontmakers will find acceptable.

Thomas Phinney's picture

"If I point my browser at a web site, and the web page accesses fonts on that web site, my browser won't give me a link to download those fonts, any more than it gives me a link to download the .css style sheet for the web page."

Urm, that depends on your browser and in some cases what plug-ins you have installed. As has often been discussed, Safari pretty much does hand you the files on a silver platter, including the fonts! For Firefox you can get add-ons to make it do darn near anything. Chrome is headed that way as well.

Cheers,

T

Richard Fink's picture

I wonder at what point this all becomes old news?

1) Few web authors know how to make @font-face work.
2) By and large, the fonts provided by services or licensors don't look good.

And yet there's endless discussion about how to keep the fonts that don't look good out of the hands of the people who don't know how to use them.

It's an interesting phenomenon, really.

Rob O. Font's picture

There is no discussion such as you suggest going on here. In fact, we are about to make more good looking fonts available, and are going to show people how to use those too.

Richard Fink's picture

There is no discussion such as you suggest going on here. In fact, we are about to make more good looking fonts available, and are going to show people how to use those too.
I don't know who the "we" is, but I wish all concerned much success.

Rob O. Font's picture

And to your yorkies as well.

quadibloc's picture

As I am hoping to apply the @font-face feature to my own web site - using an open-source font, so that there shouldn't be a licensing issue involved; my intention is to avoid requiring viewers of my web site to install a special font for mathematics - I did some web searching.

I found a nice tutorial at

http://www.miltonbayer.com/font-face/

And I also see why there is a problem now.

Internet Explorer supports only one font format - .eot - which is locked to a given web site, and thus which allows licensing. Fortunately for my purpose, I can download WEFT from Microsoft - and I will have to check the license terms of the open-source licenses, just in case I run afoul of a religious war.

Firefox supports .woff which also has some sort embedding site lock feature, so IE and Firefox do both have safe solutions for licensed fonts. This being like 90%, I would think the problem almost is solved.

Most browsers support .ttf and .otf fonts except for IE, which is good for my application.

Chrome used to only support .svg fonts. I knew that .svg was a vector image format, but I had never even heard of .svg fonts. There's obfuscation for you! But that's been fixed, so one only needs .svg fonts to look good on an iPhone these days.

quadibloc's picture

However, unlike .eot, I see that .woff doesn't involve encryption. This won't quite be good enough, I fear. It avoids open-source browser projects being frozen out, true, but some font companies just won't license for that format for that reason.

Tim Ahrens's picture

Not sure I understand your question but EOT does not have to be bound to a URL. I has this feature but you don't have to use it.

Thomas Phinney's picture

Also, WOFF has no features to “lock” a font to use on a given URL.

T

Tom Gewecke's picture

Regarding Mobile Safari on the iPad/iPhone/iPod Touch, the newest version in iOS 4.2.1 seems to display .ttf/.otf webfonts (and not just .svg). At least my Egyptian test page now works on my iPad.

http://homepage.mac.com/thgewecke/webfontdemo.html

This is useful, since there is no way for the user to add fonts to any of these devices.

Si_Daniels's picture

>Regarding Mobile Safari on the iPad/iPhone/iPod Touch, the newest version in iOS 4.2.1 seems to display .ttf/.otf webfonts (and not just .svg).

How about WOFF?

Cheers, Si

Tom Gewecke's picture

>How about WOFF

I think not. Can you suggest a good test page where only WOFF is used?

Tom Gewecke's picture

Thanks, Sii. WOFF seems definitely not supported yet.

Si_Daniels's picture

Thanks for checking. I blame Murdoch :-) he's a bad influence of Steve.

Rob O. Font's picture

...iOS supports the most interoperable format now. The trendiest format...not so much.

and sii, iOS is to Murdoch as IE9 is to whom? Who should we blame for IE9's ttf support?

Si_Daniels's picture

>Who should we blame for IE9's ttf support?

If you are a supporter of raw fonts then Apple clearly gets credit for being the first company to support the effort. Hakon Lie needs to get some credit for promoting the idea.

But as the Murdoch blame was a joke, I'm goig to blame Tony Stark for IE9.

Rob O. Font's picture

Blame IEronman hu?;) and I'm not so much a supporter of raw fonts as I am a supporter of the ttf as payload for print and web. This is a big step in both the direction of apple respecting the tt spec again, and getting hopefully on the road to Woffing Cross..

Richard Fink's picture

Does anybody have more info about the Tony Stark - Rupert Murdoch - Steve Jobs connection? Is it true that Peter Parker's involved, too?

dezcom's picture

That would be Spiderman, Richard :-)

Richard Fink's picture

Jeez, Chris, you're right! Does the Justice League Of America know about this?

dezcom's picture

Only if they are Web people :-)

Richard Fink's picture

Superman's gonna be pissed.

dezcom's picture

He can browse faster than a speeding bullet but not on the web ;-)

Syndicate content Syndicate content