Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online.
The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website—or any other site connected to the website—can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner's identity.
The prospect of widely available databases that identify users based on subtle differences in their typing was unsettling enough to researchers Per Thorsheim and Paul Moore that they have created a Chrome browser plugin that's designed to blunt the threat. The plugin caches the input keystrokes and after a brief delay relays them to the website in at a pseudo-random rate. Thorsheim, a security expert who organizes the annual PasswordsCon conference, and Moore, an information security consultant at UK-based Urity Group, conceived the plugin after thinking through all the ways the typing profiles could be used to compromise online anonymity.
(Score: 2) by Marand on Saturday August 01 2015, @03:42AM
Came to say the same thing. Yet another reason to start with something like NoScript and a blacklist-by-default policy, as if advertiser misuse and various other JS abuses weren't already enough.
(Score: 2) by mtrycz on Saturday August 01 2015, @03:05PM
Is "blacklist-by-default" an elaborate way to say "whitelist"?
In capitalist America, ads view YOU!
(Score: 2) by Marand on Saturday August 01 2015, @06:01PM
Is "blacklist-by-default" an elaborate way to say "whitelist"?
Not exactly. I'm not sure about other blockers, but NoScript's only method of operation is a whitelist. However, it also has settings to automatically whitelist certain domains, such as "temporarily allow top-level sites by default" and "allow sites opened through bookmarks". The last time I checked, NoScript's default settings were very lenient, sacrificing security for convenience by starting with those options checked.
So, by saying "blacklist by default", I was suggesting that NoScript be used with those convenience settings disabled so that it blacklists all JS on all sites by default. That way, it only allows JS if the user has explicitly whitelisted the domain. The user then takes full control (and responsibility) for JS execution, rather than risk being surprised later.