New to Typophile? Accounts are free, and easy to set up.
Securing font when used with font-face
Posted by rhe in
28 Oct 2007 — 9:47am
28 Oct 2007 — 9:47am
"Font embedding" is coming back to the web! The latest build of WebKit (used by Safari) has it, Opera is expected to follow. But the way they use it is by just linking a regular font file, which has to be placed somewhere on the internet, so everyone can download it.
Of course that doesn't go well with commercial fonts.
So I set up a Proof of Concept to show a way to secure* a font used with the font-face command. Just download the latest version of Safari and open this page:
http://www.fonts.info/webfonts/
You should see two "embedded" fonts. The first is protected*, the second is not. Feel free to try to download Kaffeesatz. I won't explain how the protection works, but it uses several layers of protection. It is set up in a way, where the font would reside on the foundry's server and a remote, licensed website can use the font by adding a little snippet of code to its template.
* So it's absolutely safe? No! Everything you see in your browser window was already downloaded to you machine. There is no real protection for anything that is on the web.
- rhe's blog
- Login or register to post comments
User login
Support our Sponsors
Comments
28 Oct 2007 — 11:13am
Nice work Ralf. Thank you for posting this.
28 Oct 2007 — 11:16am
Very nice, Ralf! From my point of view, that’s heading in the right direction.
28 Oct 2007 — 3:23pm
Nice work indeed!
> So it’s absolutely safe? No! Everything you see in your browser window was already downloaded to you machine.
I see, so browsers' developers are not of the hook yet, right?
> There is no real protection for anything that is on the web.
I'd think that, if the resource(s) — font(s) in this case — are only loaded into memory, i.e. not saving any file(s) on the local system, it would make things pretty safe.
29 Oct 2007 — 7:04am
"I see, so browsers’ developers are not of the hook yet, right?"
Copyright protection is not/should not be a TECHNICAL thing. It's a LEGAL thing. I see no reason for browser developers to hack the basic premise of the web in a weak attempt at forcing technical restrictions in the name of copyright protection.
27 Mar 2008 — 6:05am
Miguel Sousa
I’d think that, if the resource(s) — font(s) in this case — are only loaded into memory, i.e. not saving any file(s) on the local system, it would make things pretty safe.
Safari from Apple saves files into "cache.db" file (format SQLite3). with SQLiteExpert (no advertising), for example, technically prepared user, like me, can take everything.
27 Mar 2008 — 7:02am
I just stumbled upon this thread again.
Yea, it's really easy to download the font:
- visit page in firefox
- view CSS file
- copy and past the URL to the font file
- download the 'php' file
- change the extension to 'otf'
I now have Yanone Kaffeesatz Regular on my hard drive.
27 Mar 2008 — 9:45am
Yea, it’s really easy to download the font: visit page in firefox
True. But it's an easy fix to prevent this in a future version. The point of this script is to have a system where a licensed website would get access to the font on the foundry's server, but access from other sites and direct downloads would be prevented. This can be done. I just don't have all the neccessary features and levels of protections in it yet.
But 4thfebruary is also right. Once you access a licensed site the font will end up in your browser cache where it can extracted. And this will always be the case.
But still: Should we stop the iTunes music store because people know how to rip an DRM-protected song?
27 Mar 2008 — 10:51am
Well, if you know my stance on DRM, it's "get rid of it completely."
On the web there seems to be a strong urge to try and protect copyright concepts via technology...which always adds to the complexity/expense of the product, adds to the frustration of the honest customer, and is ultimately little to no deterrent to the person that doesn't care about copyright in the first place. ;o)
27 Mar 2008 — 5:22pm
I don't see how Ralf's technique would add frustration to any "honest customers" or even honest web page viewers.
The "customer," it seems to me, would be the party putting the font on the server. The people viewing the page on the web which utilizes the font, who are not the people who licensed the font, are not prevented from seeing the font at all. If the technique required site visitors to have an account or type in a password or some other nonsense, I could see your point.
In any case, what legitimate reason would anyone have to extract fonts from a cache (other than to demonstrate that there's a security hole)?
3 Apr 2008 — 9:51am
Thanks for this Ralf.
I also was wondering if you could somehow secure a css file that contains information about a font to be safe on an EULA's side (e.g. "Embedding of the XXX Font-Software into electronic documents or internet pages is only permitted in a secured read-only mode. The Licensee must ensure that recipients of electronic documents or internet pages cannot extract the XXX Font-Software from such documents or use the embedded XXX Font-Software for editing purposes or for the creation of new documents.").
Can anyone actually ensure that no one will eventually extract anything from even a super-protected file? I don't think so. Why such a statement then?
Back to the topic, your solution seems enough "protection" for most users who browse websites. As stated many times before, one shouldn't really count in pirates who would steal/wouldn't buy anyway. The question is if font vendors see it as an enough secure embedding on the internet?
________
AL ▪▪▪▪
3 Apr 2008 — 11:34am
You may also want to look at this thread with more information about ways to protect the fonts:
http://www.typophile.com/node/43312