Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Chrome Security

Chrome Extension Thwarts User Profiling Based On Typing Behavior 61

An anonymous reader writes: Per Thorsheim, the founder of PasswordsCon, created and trained a biometric profile of his keystroke dynamics using the Tor browser at a demo site. He then switched over to Google Chrome and not using the Tor network, and the demo site correctly identified him when logging in and completing a demo financial transaction. Infosec consultant Paul Moore came up with a working solution to thwart this type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM. A Firefox version of the plugin is in the works.
This discussion has been archived. No new comments can be posted.

Chrome Extension Thwarts User Profiling Based On Typing Behavior

Comments Filter:
  • Seems like a theoretical problem with a theoretical solution. Just because they found one mechanism does not mean that there is not another. Just because they were able to do it in a controlled environment does not mean that others can or will. It seems a lot of effort to actually get fairly trivial information. Most browsers are fairly uniquely fingerprinted anyhow. There are easier ways to track (and likely more certain ways) so this seems like a non-starter without more information and more prevalence.

    • It's been proven a browser exposes a lot of personalized data. Low value data, such as, for example, the fonts installed on a machine, but it can be used to digitally fingerprint you.
      • by Anonymous Coward

        https://panopticlick.eff.org/ shows you a few data points that can be used to profile browsers (fonts being one of them).

        Seems like Javascript is one giant profiling tool and the only way to even start fighting profiling is to disable it by default. Even then browsers still broadcast lots of data.

        • Doesn't have to be Javascript, but being a very common thing around, its obviously the easy choice. Anything that can & will record & process your typing inside the DOM could to this afaik.
      • Yeah, I think they notice when I zoom in the page all the time. I keep getting ads for new reading glasses.

    • Re:I dunno? (Score:5, Insightful)

      by martas ( 1439879 ) on Tuesday July 28, 2015 @10:19AM (#50196943)
      this does not fingerprint the browser, it fingerprints the user. it doesn't matter if you switch browsers, or even computers, your typing patters remain the same, and potentially identifiable.
      • by KGIII ( 973947 )

        This still seems unlikely to be useful with the noise floor it would have. At least not by itself - maybe that is the intent.

        • Yeah, implementations do not operate with FAR/FRR rates, they focus on giving a confidence score to you, the operator. Based on that you decide what to do. Typically you won't deny access to anyone punch drunk typing in username + password correctly, but you will flag all transactions for manual control as an example. Coursera, an online training provider uses it when you signup for an account, and when you hand in any tests you've done for scoring.
    • Lots of companies have products that allows you to do keystroke dynamics on their websites, and we've heard of several UK banks as an example actively using this today. Browsers are fairly uniquely fingerprinted. Keystroke dynamics fingerprints the HUMAN, so if you wipe all your cookies, change browser, change computer and change (IP) location, keystroke dynamics will still identify you.
      • by KGIII ( 973947 )

        Those seem well and *potentially* good if you want to match a metric but they seem trivial to defeat in anything with any noise associated with it. I pause at random points and will sometimes return a half hour later and delete stuff. I am not saying that I can not be fingerprinted but I am saying that it would be difficult and there are much easier ways that are much more likely to succeed.

  • That's mechanical use of keyboard, but you're also gonna need a phrase anyzer and commonizer. Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

    If you can tie a controversial anon to a known account like facebook, you can then go all SJW on him, outing them to their employer and getting them fired.

    I am less concerned about racist assholes than more general political opinions and so on.

    • by ArcadeMan ( 2766669 ) on Tuesday July 28, 2015 @10:15AM (#50196923)

      Grammar and phrases used by writers should be unique enough to identify the same anonymous writers on different sites, at least over the long run.

      thats one more reason too never use capital letters or punctuation and too write with as many misteaks as u can including us1ng l33tsp34k

    • Valid points, lots of other features from your way of typing may aid in building an anonymous profile. Keystroke dynamics is just an addition to that, and the plugin blocks keystroke dynamics from being used to build & identify people (not browsers).
  • by Anonymous Coward on Tuesday July 28, 2015 @10:10AM (#50196893)

    The term "pissing in the ocean" comes to mind.

  • by Anonymous Coward

    Locked out of everything, hooray!

  • If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

    Am I surprised that this can be done? No. But DO-NOT-ALLOW-SCRIPTS in your browser if you are truly attempting to be secure.

    • If you have scripts running inside Tor so that something can profile how you access the DOM (keystrokes or otherwise) you are doing it wrong.

      I don't think that Thorsheim was using Tor in an attempt at any actual security, but simply to isolate the effect of keyboard timings from other potential means of identifying the user. He was using Tor to create a controlled experiment.
       

      • Correct. There are also so many websites around where Javascript is required for the site to work. I wouldn't be surprised if quite a few Tor users allowed Javascript here and there. And it doesn't have to be done using Javascript either.
  • by Anonymous Coward

    Why would anyone use this spyware anyway? Just use Firefox, or even modern versions of IE is better

  • by Anonymous Coward
    Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical. Adding random noise as it sounded like the summary was describing tends to be ineffective against timing attacks because it averages out.
    • Reading the article the extension does the right thing and actually modifies the timings to be constant (50ms between key presses by default). By setting the timings to always be the same, all users of the extension look identical.

      Which probably makes them even more identifiable, since it is unlikely that more than a tiny minority of Chrome users will use such an extension. This is a fundamental problem with this sort of thing: if you really want to be hard to identify, you want to make yourself look as much like the rest of the clueless rabble as possible. If only one user in ten thousand is loading themselves up with privacy extensions, it probably makes for an excellent fingerprint in and of itself.

      • True & not true. The plugin randomizes (delays) the keypress inputs into the dom, you can change the values. We did consider doing everything constant as well as randomization. Difficult tradeoff. The main point is to lower/remove the risk of a profile being built and used.
        • The plugin randomizes (delays) the keypress inputs into the dom, you can change the values.

          This seems more reasonable. However, it's not obvious that this would not itself be a trackable signature, easily distinguished from actual human behavior.

  • by Carewolf ( 581105 ) on Tuesday July 28, 2015 @11:34AM (#50197343) Homepage

    Why would you make an anti-tracking feature for a browser only made to track you? Whatever you do you are still being tracked by default, that is the point of Chrome.

    • by Anonymous Coward

      Because they also work on Chromium, the OS version which doesn't track you?

      Also, your point makes zero sense, as the adversaries are different: this add-on prevents websites in general from identifying you, not Google in particular.

    • Whatever you do you are still being tracked by default, that is the point of Chrome.

      Do you have any evidence to back that claim up?

      There are a number of features in Chrome that optionally talk to Google. But you can change them all if you prefer. Do you have any proof that it "phones home" in any hidden way? It should be quite easy to prove; Wireshark is all you need.

      FWIW, I know some of the guys who started the Chrome project. Actually, they didn't start Chrome, they started V8. The point was to prove that Javascript engines could be orders of magnitude faster than they were, and to

  • by tehlinux ( 896034 ) on Tuesday July 28, 2015 @03:17PM (#50199311)

    > by randomizing the rate at which characters reach the DOM

    Just do what IE11 does and randomly don't send some characters to the DOM.

My sister opened a computer store in Hawaii. She sells C shells down by the seashore.

Working...