Canvas Font Fallback Chain as a Unique Identifier: Why the OS is notified of a missing font

[BadB]

How the Sequence of Missing Font Replacements Creates a Unique Fingerprint for Windows vs. macOS vs. Linux

Introduction: The Absence That Says It All​

You've carefully configured your font list in Dolphin Anti. You've installed only the system fonts: Arial, Times New Roman, Calibri.
You're confident, "Now my profile is perfect[".

But you're instantly blocked.
The reason? Not the presence of fonts, but their absence.

When a site requests a non-existent font (for example, NonExistentFont), the browser initiates a fallback chain—and this chain is unique to each OS:

• Windows: NonExistentFont → Arial → sans-serif,
• macOS: NonExistentFont → Helvetica → system-ui,
• Linux: NonExistentFont → DejaVu Sans → sans-serif.

This chain is an invisible fingerprint that cannot be faked without modifying the OS.

In this article, we'll provide an in-depth technical analysis of how the Font Fallback Chain works, why it reveals itself to the OS, and how even a blank font can reveal your hardware.

Part 1: What is the Font Fallback Chain?​

Technical definition​

A Font Fallback Chain is a sequence of fonts that the browser uses to display text if the requested font is not available.

CSS example:

font-family: "NonExistentFont", "Arial", sans-serif;

If NonExistentFont is not found, the browser:

1. Checks Arial,
2. If not, it uses the default system font (sans-serif),
3. This choice depends on the OS and its settings.

Key fact:
The replacement chain is hard-coded in the OS - and cannot be changed at the browser level.

Part 2: Unique OS Chains​

Fallback chain table (2026)​

OS	Request	Fallback Chain
Windows 10/11	"FakeFont", serif	FakeFont → Times New Roman → serif
macOS Sonoma	"FakeFont", serif	FakeFont → Times → "Times New Roman" → serif
Linux (Ubuntu)	"FakeFont", serif	FakeFont → DejaVu Serif → Liberation Serif → serif

Anomaly example:
You claim Windows 10, but fallback = DejaVu Serif → the system sees: “This is Linux” → fraud score = 95+

Part 3: How Sites Measure Fallback Chain​

Analysis Method via Canvas​

Step 1: Rendering with non-existent font
js:

const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');

// Request a non-existent font
ctx.font = '16px "NonExistentFont", Arial, sans-serif';
ctx.fillText('mmmmmmmmmm', 10, 50);

Step 2: Comparison with benchmark metrics

• The site knows in advance:
  • Width mmmmmmmmmm in Arial = 84.2 px,
  • Width in DejaVu Sans = 78.5 px
• By measuring the actual width, the system determines the actual font.

Step 3: Building a Profile

• The combination of replacements for 5-10 non-existent fonts gives an entropy of 18-22 bits.

OS identification accuracy by fallback chain: 96% (according to Forter, Q1 2026).

Part 4: Why Anti-Detect Browsers Don't Save​

Three reasons​

1. The chain is defined at the OS level

• Even if you remove all fonts from Windows,
• The system still uses built-in fallback fonts.

2. Cannot be faked via CSS

• Changing the font-family in CSS does not affect the actual rendering.
• Canvas always uses the OS physics chain.

3. Measurement via TextMetrics

• The measureText() API returns actual metrics,
• No settings in Dolphin Anty can change this.

Truth:
Fallback chain is a fingerprint of the OS, not the browser.

Part 5: How to Test Your Vulnerabilities​

Step 1: Use test sites​

• https://amiunique.org — shows font fallback entropy,
• https://browserleaks.com/fonts — detailed analysis.

Step 2: Run a local test​

js:

function testFallback() { 
const canvas = document.createElement('canvas'); 
const ctx = canvas.getContext('2d'); 

// Test with a non-existent font 
ctx.font = '16px "XYZ123Font", serif'; 
const width = ctx.measureText('mmmmmmmmmm').width; 

console.log('Fallback width:', width.toFixed(2), 'px'); 

// Interpretation: 
if (width > 83) console.log('→ Windows (Times New Roman)'); 
else if (width > 80) console.log('→ macOS (Times)'); 
else console.log('→ Linux (DejaVu Serif)');
}
testFallback();

Rule:
If the width does not match the declared OS → you have already been issued.

Part 6: How to Properly Set Up Font Fallback​

OS level​

Windows 10 Pro (bare metal)

• Don't delete system fonts,
• Make sure Arial, Times New Roman, Courier New are present.

macOS (not recommended for Windows profiles)

• If you're simulating a Mac, use a real MacBook.
• Don't try to emulate Helvetica on Windows.

Linux (VPS - Avoid)

• DejaVu Sans chain instantly gives out VPS,
• Do not use Linux for Windows profiles.

Browser level​

Dolphin Anty

1. When creating a profile,
2. In the Fonts section,
3. Make sure that system fonts are not removed.

The hard truth:
There's no way to fake a fallback chain.
The only way is to use the right OS.

Part 7: Why Most Carders Fail​

Common Mistakes​

Error	Consequence
Removing all fonts	Fallback is activated → the OS issues
Ignoring the fallback chain	They think that only the font list is important → failure
Using Linux VPS	DejaVu Sans chain → instant ban

Field data (2026):
75% of failures are due to inconsistent font fallback chain.

Part 8: Practical Guide - Secure Profile​

Step 1: Set up RDP​

• Install Windows 10 Pro on bare metal (Hetzner AX41),
• Make sure system fonts are present.

Step 2: Check the fallback chain​

• Run the test above,
• Make sure that:
  • Width mmmmmmmmmm = 84.0–84.5 px (Windows).

Step 3: Avoid Custom Fonts​

• Do not install Google Fonts, Adobe Fonts,
• Use only system fonts.

Result:
Your profile will match 70% of real Windows users → low fraud score.

Conclusion: Absence is a new imprint​

The Font Fallback Chain isn't just a "backup plan". It's an invisible fingerprint of your OS that can't be faked.

Final thought:
True camouflage lies not in the presence of fonts, but in their absence.
Because in the world of fraud, even emptiness has form.

Stay consistent. Stay on-brand.
And remember: in the world of security, font is identity.