"the timings of and between key presses are unique to each person".
I wonder if there are more of these "features" and how many would take to build up a online profile of an user consistent regardless of the hardware used.
So I saw that their planned "fix" was to introduce random latency to the key presses to hide the true timings, but does that really help anything?
When it comes to timing attacks in things like decryption or password comparisons, I thought random latency was a pointless addition as it only requires a bit more sampling before you can pull the underlying differences out.
Does it work in this instance just because the numbers involved are a few magnitude less would be with something like network requests?
I would have thought the same. However instead of adding random latency, one could have a buffer, that only allows a couple of fixed output rates (eg, 150,160,...,300 CPM), when typing.
This would probably be quite annoying to type on though :-)
Yes, making it appear constant is the only real solution, if the attacker has access to multiple traces and is able to use some statistical tools.
But this still suppose that the attack is carried over the network. If the attacker can, e.g., monitor the electrical activity of the physical keyboard, then it's another thing entirely.
It's fairly easy to create a div which behaves the same way as a HTML input field, and there are other ways. Ultimately I think you'd have to not fire key events, period.
Agreed, you'd have to fire string input rates, and defer the underlying update until either enough buffer has entered to warrant a mid-point sync, or input has paused for a decent length of time. (say 10s)
For 'hardened' browsers I'd recommend a visual indication of this timeout (a pie chart which completes like a clock at a fixed rate while paused is the first concept that I think of).
Because of this, it is possible to measure keypress AND key release timings _very precisely_, for any console user of a machine we have an unprivileged account on.
Surely. But that assumes they consider the possibility I'm using Dvorak. And if I switch which keyboard layout I'm using it'll help more. (But honestly that's likely to be too much bother and I wouldn't follow through with that practice.)
Sure, that would be an issue. They tend to vary quite a bit more than my regular typing though. And I often go weeks or months without hunt-n-pecking, so it's really not a practiced method with a consistent timing.
Most of the Coursera courses I took gave quizzes that were mainly multiple choice, this limiting the availability of a keystroke-corpus to identify the user.
Curious if this has changed recently to warrant this comment as the last course I took was a while ago.
The problem with this is that there's too much stuff an value units being created by the developers, which has devalued everything, but they haven't updated the value unit gain rate for some time
