font security issues
141 views
Skip to first unread message
baronetto
Apr 29, 2009, 6:38:18 AM4/29/09
to cufón
Hi,
first of all I would like to thank you for cufon, it's a great tool.
I would like to use it on a website along with a font.
The foundry that designed the font allows embeding but they won't give
me permission to use their font unless they are sure that it is
impossible to create a font file (.otf) using the .js created by your
generator. Is this actually possible?
Thank you in advace for your time and effort
first of all I would like to thank you for cufon, it's a great tool.
I would like to use it on a website along with a font.
The foundry that designed the font allows embeding but they won't give
me permission to use their font unless they are sure that it is
impossible to create a font file (.otf) using the .js created by your
generator. Is this actually possible?
Thank you in advace for your time and effort
Sorccu
Apr 29, 2009, 8:40:52 AM4/29/09
to cu...@googlegroups.com
Hi,
Well, nothing's impossible. There are tools that allow font extraction
from PDFs and Flash files, and it would be fairly trivial to convert
an EOT font to an OTF as well. However you'd have to be very desperate
to actually try and convert a cufón font to an OTF font. By default
the outlines are scaled down and optimized, which means that there is
some quality is lost. Neither kerning tables nor any advanced
typographic features are embedded (although this may change in future
versions). You are also encouraged to embed only a small subset of the
font (just the characters you need). So, even if you were to convert a
cufón font to an OTF, it would in many ways be inferior to the
original font. Basically what I'm saying is that it's possible, but
not worth the trouble.
Like EOT, you can also restrict a cufón font to a particular set of
domains. This protection is at the moment very weak and is mainly
meant to prevent people from hotlinking fonts from other sites. I'm
currently testing a more secure protection method that will make
removing the restrictions very difficult (but obviously not
impossible). It might be ready next week, but I can't give any
guarantees.
Simo
Well, nothing's impossible. There are tools that allow font extraction
from PDFs and Flash files, and it would be fairly trivial to convert
an EOT font to an OTF as well. However you'd have to be very desperate
to actually try and convert a cufón font to an OTF font. By default
the outlines are scaled down and optimized, which means that there is
some quality is lost. Neither kerning tables nor any advanced
typographic features are embedded (although this may change in future
versions). You are also encouraged to embed only a small subset of the
font (just the characters you need). So, even if you were to convert a
cufón font to an OTF, it would in many ways be inferior to the
original font. Basically what I'm saying is that it's possible, but
not worth the trouble.
Like EOT, you can also restrict a cufón font to a particular set of
domains. This protection is at the moment very weak and is mainly
meant to prevent people from hotlinking fonts from other sites. I'm
currently testing a more secure protection method that will make
removing the restrictions very difficult (but obviously not
impossible). It might be ready next week, but I can't give any
guarantees.
Simo
Elecious
May 28, 2009, 5:17:26 AM5/28/09
to cufón
Hi
Is there any update on this? We were hoping to use Cufon on our
corporate site but decided against it for font licensing issues.
On Apr 29, 1:40 pm, Sorccu <sor...@gmail.com> wrote:
> Hi,
>
> Well, nothing's impossible. There are tools that allow font extraction
> from PDFs and Flash files, and it would be fairly trivial to convert
> an EOT font to an OTF as well. However you'd have to be very desperate
> to actually try and convert a cufón font to an OTF font. By default
> the outlines are scaled down and optimized, which means that there is
> some quality is lost. Neither kerning tables nor any advanced
> typographic features are embedded (although this may change in future
> versions). You are also encouraged to embed only a small subset of the
> font (just the characters you need). So, even if you were to convert a
> cufón font to an OTF, it would in many ways be inferior to the
> original font. Basically what I'm saying is that it's possible, but
> not worth the trouble.
>
> Like EOT, you can also restrict a cufón font to a particular set of
> domains. This protection is at the moment very weak and is mainly
> meant to prevent people from hotlinking fonts from other sites. I'm
> currently testing a more secure protection method that will make
> removing the restrictions very difficult (but obviously not
> impossible). It might be ready next week, but I can't give any
> guarantees.
>
> Simo
>
Is there any update on this? We were hoping to use Cufon on our
corporate site but decided against it for font licensing issues.
On Apr 29, 1:40 pm, Sorccu <sor...@gmail.com> wrote:
> Hi,
>
> Well, nothing's impossible. There are tools that allow font extraction
> from PDFs and Flash files, and it would be fairly trivial to convert
> an EOT font to an OTF as well. However you'd have to be very desperate
> to actually try and convert a cufón font to an OTF font. By default
> the outlines are scaled down and optimized, which means that there is
> some quality is lost. Neither kerning tables nor any advanced
> typographic features are embedded (although this may change in future
> versions). You are also encouraged to embed only a small subset of the
> font (just the characters you need). So, even if you were to convert a
> cufón font to an OTF, it would in many ways be inferior to the
> original font. Basically what I'm saying is that it's possible, but
> not worth the trouble.
>
> Like EOT, you can also restrict a cufón font to a particular set of
> domains. This protection is at the moment very weak and is mainly
> meant to prevent people from hotlinking fonts from other sites. I'm
> currently testing a more secure protection method that will make
> removing the restrictions very difficult (but obviously not
> impossible). It might be ready next week, but I can't give any
> guarantees.
>
> Simo
>
Simo Kinnunen
May 28, 2009, 5:42:59 AM5/28/09
to cu...@googlegroups.com
Hi,
Yes, the domain restriction is a lot better now. While it still isn't
(and naturally never will be) completely impossible to remove it, it's
a lot more difficult than what it used to be.
Simo
Yes, the domain restriction is a lot better now. While it still isn't
(and naturally never will be) completely impossible to remove it, it's
a lot more difficult than what it used to be.
Simo
reetssydney
May 31, 2009, 1:12:55 AM5/31/09
to cufón
Hi,
Does this improved domain restriction mean that cufón will be seen as
adhering to font foundries' EULAs in the same way as sIFR?
I'm looking to use cufón to replace sIFR of HelveticaNeue on a site,
and Linotype's EULA is not that explicit:
"1.5 Embedding of the Font Software into electronic documents or
Internet pages is only permitted under the absolute assurance that the
recipient cannot use the Font Software to edit or create a new
document (read-only). It must be ensured that the Font Software cannot
be fully or partially extracted from said documents.
1.6 The licensee may electronically distribute Font Software embedded
in a »Personal or Internal Business Use« document only when the Font
Software embedded in such document is in a static graphic image (for
example, a »gif«) or an embedded electronic document, and is
distributed in a secure format that permits only the viewing and
printing (and not the editing, altering, enhancing, or modifying) of
such static graphic image or embedded document."
As you say, font extraction is possible from PDF, Flash and EOT files
so it seems strange that one solution like sIFR is allowed while cufón
is not. Looking forward to an 'official' update from font foundries
regarding permissions...
Thanks for all your work, hoping to start using it v soon.
On May 28, 7:42 pm, Simo Kinnunen <sor...@gmail.com> wrote:
> Hi,
>
> Yes, the domain restriction is a lot better now. While it still isn't
> (and naturally never will be) completely impossible to remove it, it's
> a lot more difficult than what it used to be.
>
> Simo
>
Does this improved domain restriction mean that cufón will be seen as
adhering to font foundries' EULAs in the same way as sIFR?
I'm looking to use cufón to replace sIFR of HelveticaNeue on a site,
and Linotype's EULA is not that explicit:
"1.5 Embedding of the Font Software into electronic documents or
Internet pages is only permitted under the absolute assurance that the
recipient cannot use the Font Software to edit or create a new
document (read-only). It must be ensured that the Font Software cannot
be fully or partially extracted from said documents.
1.6 The licensee may electronically distribute Font Software embedded
in a »Personal or Internal Business Use« document only when the Font
Software embedded in such document is in a static graphic image (for
example, a »gif«) or an embedded electronic document, and is
distributed in a secure format that permits only the viewing and
printing (and not the editing, altering, enhancing, or modifying) of
such static graphic image or embedded document."
As you say, font extraction is possible from PDF, Flash and EOT files
so it seems strange that one solution like sIFR is allowed while cufón
is not. Looking forward to an 'official' update from font foundries
regarding permissions...
Thanks for all your work, hoping to start using it v soon.
On May 28, 7:42 pm, Simo Kinnunen <sor...@gmail.com> wrote:
> Hi,
>
> Yes, the domain restriction is a lot better now. While it still isn't
> (and naturally never will be) completely impossible to remove it, it's
> a lot more difficult than what it used to be.
>
> Simo
>
Simo Kinnunen
May 31, 2009, 8:01:24 AM5/31/09
to cu...@googlegroups.com
Hi,
It depends. For performance reasons most of the font data is
unencrypted, but it's unusable without the encrypted part which maps
path data to characters (assuming you've restricted the font to a
domain). Obviously it's not impossible to break the encryption, but it
does require some skill. Therefore, depending on what "partial
extraction" really means, using cufón might still be against the EULA.
Then again it would be ridiculously easy to extract partial font data
from any file. Cufón's definitely safer than @font-face, though.
In any case it would be your best bet would be to ask Linotype directly.
Simo
It depends. For performance reasons most of the font data is
unencrypted, but it's unusable without the encrypted part which maps
path data to characters (assuming you've restricted the font to a
domain). Obviously it's not impossible to break the encryption, but it
does require some skill. Therefore, depending on what "partial
extraction" really means, using cufón might still be against the EULA.
Then again it would be ridiculously easy to extract partial font data
from any file. Cufón's definitely safer than @font-face, though.
In any case it would be your best bet would be to ask Linotype directly.
Simo
Reply all
Reply to author
Forward
0 new messages