[tbb-dev] Adding defenses against keystroke and mouse stylometry into TBB

[Tom Ritter]

If you're referring to recording the timing of keystrokes or mouse
movements - no.  Personally, I think the effectiveness of these
attacks are pretty low, with a high false positive rate; which makes
them not-very-effective.

In theory, mouse movements could countered by just never reporting
mouse position - support for phone/tablet based interactions means
that mouse-over based interaction is not accessibility friendly. This
wouldn't work for games or similar.

Keystroke timing would be a whole different ball game, and would
require changes to the core browser to (I guess) buffer and release
keystrokes on a set interval. And that wouldn't help if you're only
pressing a key every 100ms and not a few-per-that-interval.

I think this falls into the category of 'Attacks which might be
theoretically possible, but require significant engineering work to
address' and therefore until someone demonstrates a plausible attack
or shows up and is willing to do the engineering work, is lower
priority compared to fingerprinting techniques which are actively
being used or security hardening measures against exploits.  My 2
cents.

-tom

On Mon, 3 Aug 2020 at 01:15, <joel04g_t535e at secmail.pro> wrote:
>
> Does Tor browser have any defenses against mouse and keystroke stylometry,
> if not could some be implemented? It can be as simple as adding an add-on
> that you can turn on or off. I think this would add extra protection
> against invasive websites who attempt to identify users. Users could also
> disable this if the website isn't working or requires a captcha which
> thinks they are a bot.
>
> -Joel
>
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev