Typophile - Securing font when used with font-face - Comments

You may also want to look at

Ralf Herrmann — Thu, 3 Apr 2008 11:34:48 -0700

You may also want to look at this thread with more information about ways to protect the fonts:
http://www.typophile.com/node/43312

Thanks for this Ralf. I

aleksander — Thu, 3 Apr 2008 09:51:15 -0700

Thanks for this Ralf.

I also was wondering if you could somehow secure a css file that contains information about a font to be safe on an EULA’s side (e.g. “Embedding of the XXX Font-Software into electronic documents or internet pages is only permitted in a secured read-only mode. The Licensee must ensure that recipients of electronic documents or internet pages cannot extract the XXX Font-Software from such documents or use the embedded XXX Font-Software for editing purposes or for the creation of new documents.”).

Can anyone actually ensure that no one will eventually extract anything from even a super-protected file? I don’t think so. Why such a statement then?

Back to the topic, your solution seems enough “protection” for most users who browse websites. As stated many times before, one shouldn’t really count in pirates who would steal/wouldn’t buy anyway. The question is if font vendors see it as an enough secure embedding on the internet?

________
AL ▪▪▪▪

I don’t see how Ralf’s

Mark Simonson — Thu, 27 Mar 2008 17:22:57 -0700

I don’t see how Ralf’s technique would add frustration to any “honest customers” or even honest web page viewers.

The “customer,” it seems to me, would be the party putting the font on the server. The people viewing the page on the web which utilizes the font, who are not the people who licensed the font, are not prevented from seeing the font at all. If the technique required site visitors to have an account or type in a password or some other nonsense, I could see your point.

In any case, what legitimate reason would anyone have to extract fonts from a cache (other than to demonstrate that there’s a security hole)?

Well, if you know my stance

aluminum — Thu, 27 Mar 2008 10:51:26 -0700

Well, if you know my stance on DRM, it’s “get rid of it completely.”

On the web there seems to be a strong urge to try and protect copyright concepts via technology...which always adds to the complexity/expense of the product, adds to the frustration of the honest customer, and is ultimately little to no deterrent to the person that doesn’t care about copyright in the first place. ;o)

Yea, it’s really easy to

Ralf Herrmann — Thu, 27 Mar 2008 09:45:46 -0700

Yea, it’s really easy to download the font: visit page in firefox

True. But it’s an easy fix to prevent this in a future version. The point of this script is to have a system where a licensed website would get access to the font on the foundry’s server, but access from other sites and direct downloads would be prevented. This can be done. I just don’t have all the neccessary features and levels of protections in it yet.

But 4thfebruary is also right. Once you access a licensed site the font will end up in your browser cache where it can extracted. And this will always be the case.
But still: Should we stop the iTunes music store because people know how to rip an DRM-protected song?

I just stumbled upon this

aluminum — Thu, 27 Mar 2008 07:02:19 -0700

I just stumbled upon this thread again.

Yea, it’s really easy to download the font:

- visit page in firefox
- view CSS file
- copy and past the URL to the font file
- download the ’php’ file
- change the extension to ’otf’

I now have Yanone Kaffeesatz Regular on my hard drive.

Miguel Sousa I’d think

4thfebruary — Thu, 27 Mar 2008 06:05:01 -0700

Miguel Sousa

I’d think that, if the resource(s) — font(s) in this case — are only loaded into memory, i.e. not saving any file(s) on the local system, it would make things pretty safe.

Safari from Apple saves files into “cache.db” file (format SQLite3). with SQLiteExpert (no advertising), for example, technically prepared user, like me, can take everything.

“I see, so browsers’

aluminum — Mon, 29 Oct 2007 07:04:38 -0700

“I see, so browsers’ developers are not of the hook yet, right?”

Copyright protection is not/should not be a TECHNICAL thing. It’s a LEGAL thing. I see no reason for browser developers to hack the basic premise of the web in a weak attempt at forcing technical restrictions in the name of copyright protection.

Nice work indeed! > So

Miguel Sousa — Sun, 28 Oct 2007 15:23:09 -0700

Nice work indeed!

> So it’s absolutely safe? No! Everything you see in your browser window was already downloaded to you machine.

I see, so browsers’ developers are not of the hook yet, right?

> There is no real protection for anything that is on the web.

I’d think that, if the resource(s) — font(s) in this case — are only loaded into memory, i.e. not saving any file(s) on the local system, it would make things pretty safe.

Very nice, Ralf! From my

Florian Hardwig — Sun, 28 Oct 2007 11:16:13 -0700

Very nice, Ralf! From my point of view, that’s heading in the right direction.

Nice work Ralf. Thank you

canderson — Sun, 28 Oct 2007 11:13:16 -0700

Nice work Ralf. Thank you for posting this.

Securing font when used with font-face

Ralf Herrmann — Sun, 28 Oct 2007 09:47:49 -0700

"Font embedding" is coming back to the web! The latest build of WebKit (used by Safari) has it, Opera is expected to follow. But the way they use it is by just linking a regular font file, which has to be placed somewhere on the internet, so everyone can download it. Of course that doesn't go well with commercial fonts. So I set up a Proof of Concept to show a way to secure* a font used with the font-face command. Just download the latest version of Safari and open this page: http://www.fonts.info/webfonts/ You should see two "embedded" fonts. The first is protected*, the second is not. Feel free to try to download Kaffeesatz. I won't explain how the protection works, but it uses several layers of protection. It is set up in a way, where the font would reside on the foundry's server and a remote, licensed website can use the font by adding a little snippet of code to its template. [img:Bild3_4933.jpg] * So it's absolutely safe? No! Everything you see in your browser window was already downloaded to you machine. There is no real protection for anything that is on the web.