Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Extension Thwarts User Profiling Based On Typing Behavior

Posted by timothy on from the b-ut-Iuss^hually-type-liek-this dept.

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.

9 of 61 comments (clear)

  1. I dunno? by KGIII · · Score: 2

    Seems like a theoretical problem with a theoretical solution. Just because they found one mechanism does not mean that there is not another. Just because they were able to do it in a controlled environment does not mean that others can or will. It seems a lot of effort to actually get fairly trivial information. Most browsers are fairly uniquely fingerprinted anyhow. There are easier ways to track (and likely more certain ways) so this seems like a non-starter without more information and more prevalence.

    --
    "So long and thanks for all the fish."
    1. Re:I dunno? by martas · · Score: 4, Insightful

      this does not fingerprint the browser, it fingerprints the user. it doesn't matter if you switch browsers, or even computers, your typing patters remain the same, and potentially identifiable.

      --
      weinersmith
  2. A Chrome privacy extension by Anonymous Coward · · Score: 4, Funny

    The term "pissing in the ocean" comes to mind.

  3. Re:Complex signal analysis by ArcadeMan · · Score: 3, Funny

    Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

    thats one more reason too never use capital letters or punctuation and too write with as many misteaks as u can including us1ng l33tsp34k

    --
    Get free satoshi (Bitcoin) and Dogecoins
  4. Re:Doing it wrong by PvtVoid · · Score: 2

    If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

    I don't think that Thorsheim was using Tor in an attempt at any actual security, but simply to isolate the effect of keyboard timings from other potential means of identifying the user. He was using Tor to create a controlled experiment.
     

  5. Anti tracking plugin for Chrome?? by Carewolf · · Score: 2

    Why would you make an anti-tracking feature for a browser only made to track you? Whatever you do you are still being tracked by default, that is the point of Chrome.

  6. Re:Or you could just turn off Java. by thorsheim · · Score: 2

    Java & Javascript. NOT the same thing!

  7. Re:Not random, constant timing by thorsheim · · Score: 2

    True & not true. The plugin randomizes (delays) the keypress inputs into the dom, you can change the values. We did consider doing everything constant as well as randomization. Difficult tradeoff. The main point is to lower/remove the risk of a profile being built and used.

  8. That's one solution by tehlinux · · Score: 4, Funny

    > by randomizing the rate at which characters reach the DOM

    Just do what IE11 does and randomly don't send some characters to the DOM.

    --
    Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!