Greetings Lemmy

I have been developing a Firefox addon to throw off keystroke fingerprinting

https://addons.mozilla.org/en-US/firefox/addon/private-keyboard/

I suspect most people on lemmy are aware of browser fingerprinting, but i think alternate routes of fingerprinting are less talked about. Basically, websites can track your keystroke timings which are fairly unique to each person.

Addons like Ublock origin can address this problem, but that is inherently a blacklist approach which is not a good security method. I suspect that sites could do it partly server side anyways by using legit features like typing notifications on chat sites.

I developed this addon to defeat basic keystroke analysis by randomizing the time it takes keystrokes to be processed by a webpage with a floor of 150ms and a max of 300ms. I’m working on improving the UX, so i anticipate the typing speed to be increased eventually (I admit it is frustrating to type currently). I may add an iframe overlay approach/option that is mildly less secure but much more usable. You can whitelist sites that you trust. I tested it on typingdna[.]com and keytrac[.]net which are two spy companies that advertise keyboard biometrics as an alternative to 2fa (cringe) and for anti-fraud or creepy test proctoring purposes.

This is experimental and may not solve all issues (in particular it doesn’t prevent stylometry analysis yet). Also it may be possible for spies aware of the addon to account for the randomization.

There’s a downside aside from the frustration of slow typing, which is cpu spikes during typing, which is a side effect i haven’t been able to avoid due to JS limitations. If i’m able to make the iframe approach that would be fixed. Ironically the cpu spike may make it easier to use power analysis

Other software that attempts keystroke anonymization is the kernel level Kloak project and the Keyboard Privacy chrome addon that doesn’t seem actively maintained.

If you know JS and want to help shoot me a message.

    • gibsonOP
      link
      fedilink
      arrow-up
      3
      ·
      3 years ago

      (For other people to see): I tested it on keytrac and typingdna while i was writing the code and it worked, but i haven’t been able to thoroughly test it with another person (it should either detect 0% for each person or ~100% for each person on the same entry). So please report tests to me if anyone tests it.

    • BrownNote@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      I’m on mobile and it said 100% no matter if it was spoken or typed… would make more sense using a physical keyboard.

      • blank_sl8@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 years ago

        I’m surprised they even let you run it on mobile. I tried it on a physical keyboard and it gave pretty reasonable numbers, when I tried to type strangely it wouldn’t identify me.