Securing font when used with font-face

ralf h.'s picture

"Font embedding" is coming back to the web! The latest build of WebKit (used by Safari) has it, Opera is expected to follow. But the way they use it is by just linking a regular font file, which has to be placed somewhere on the internet, so everyone can download it.
Of course that doesn't go well with commercial fonts.

So I set up a Proof of Concept to show a way to secure* a font used with the font-face command. Just download the latest version of Safari and open this page:
http://www.fonts.info/webfonts/

You should see two "embedded" fonts. The first is protected*, the second is not. Feel free to try to download Kaffeesatz. I won't explain how the protection works, but it uses several layers of protection. It is set up in a way, where the font would reside on the foundry's server and a remote, licensed website can use the font by adding a little snippet of code to its template.

* So it's absolutely safe? No! Everything you see in your browser window was already downloaded to you machine. There is no real protection for anything that is on the web.

Comments

canderson's picture

Nice work Ralf. Thank you for posting this.

Florian Hardwig's picture

Very nice, Ralf! From my point of view, that’s heading in the right direction.

Miguel Sousa's picture

Nice work indeed!

> So it’s absolutely safe? No! Everything you see in your browser window was already downloaded to you machine.

I see, so browsers' developers are not of the hook yet, right?

> There is no real protection for anything that is on the web.

I'd think that, if the resource(s) — font(s) in this case — are only loaded into memory, i.e. not saving any file(s) on the local system, it would make things pretty safe.

aluminum's picture

"I see, so browsers’ developers are not of the hook yet, right?"

Copyright protection is not/should not be a TECHNICAL thing. It's a LEGAL thing. I see no reason for browser developers to hack the basic premise of the web in a weak attempt at forcing technical restrictions in the name of copyright protection.

4thfebruary's picture

Miguel Sousa

I’d think that, if the resource(s) — font(s) in this case — are only loaded into memory, i.e. not saving any file(s) on the local system, it would make things pretty safe.

Safari from Apple saves files into "cache.db" file (format SQLite3). with SQLiteExpert (no advertising), for example, technically prepared user, like me, can take everything.

aluminum's picture

I just stumbled upon this thread again.

Yea, it's really easy to download the font:

- visit page in firefox
- view CSS file
- copy and past the URL to the font file
- download the 'php' file
- change the extension to 'otf'

I now have Yanone Kaffeesatz Regular on my hard drive.

ralf h.'s picture

Yea, it’s really easy to download the font: visit page in firefox

True. But it's an easy fix to prevent this in a future version. The point of this script is to have a system where a licensed website would get access to the font on the foundry's server, but access from other sites and direct downloads would be prevented. This can be done. I just don't have all the neccessary features and levels of protections in it yet.

But 4thfebruary is also right. Once you access a licensed site the font will end up in your browser cache where it can extracted. And this will always be the case.
But still: Should we stop the iTunes music store because people know how to rip an DRM-protected song?

aluminum's picture

Well, if you know my stance on DRM, it's "get rid of it completely."

On the web there seems to be a strong urge to try and protect copyright concepts via technology...which always adds to the complexity/expense of the product, adds to the frustration of the honest customer, and is ultimately little to no deterrent to the person that doesn't care about copyright in the first place. ;o)

Mark Simonson's picture

I don't see how Ralf's technique would add frustration to any "honest customers" or even honest web page viewers.

The "customer," it seems to me, would be the party putting the font on the server. The people viewing the page on the web which utilizes the font, who are not the people who licensed the font, are not prevented from seeing the font at all. If the technique required site visitors to have an account or type in a password or some other nonsense, I could see your point.

In any case, what legitimate reason would anyone have to extract fonts from a cache (other than to demonstrate that there's a security hole)?

fallenartist's picture


Thanks for this Ralf.

I also was wondering if you could somehow secure a css file that contains information about a font to be safe on an EULA's side (e.g. "Embedding of the XXX Font-Software into electronic documents or internet pages is only permitted in a secured read-only mode. The Licensee must ensure that recipients of electronic documents or internet pages cannot extract the XXX Font-Software from such documents or use the embedded XXX Font-Software for editing purposes or for the creation of new documents.").

Can anyone actually ensure that no one will eventually extract anything from even a super-protected file? I don't think so. Why such a statement then?

Back to the topic, your solution seems enough "protection" for most users who browse websites. As stated many times before, one shouldn't really count in pirates who would steal/wouldn't buy anyway. The question is if font vendors see it as an enough secure embedding on the internet?

________
AL

ralf h.'s picture

You may also want to look at this thread with more information about ways to protect the fonts:
http://www.typophile.com/node/43312

Syndicate content Syndicate content