"protect keyboard fingerprint" improvements

[cosmopol]

The function "Protect keyboard fingerprint" seems to be ineffective on many websites for the keyboard input is seemingly instantaneously processed allowing for keystroke dynamics fingerprinting (This type of tracking has been proven to be very reliable. Please remember that there are several pause metrics recorded, not just the initial keystroke pause. The dwell time is also often used.). On some websites the function occasionally seems to fail completely, but not in general. I have seen the very same bevhaviour with other keyboard fingerprint protection plugins for Firefox. There must be an underlying general problem here. One other explanation would be the unfortunate handling of pause timing RNG values. Maybe a minimum time amount should be set to better conceal keystroke metrics.

example include: https://www.ebay-kleinanzeigen.de main search field

There already has been a discussion ongoing that addresses similar issues -> https://github.com/sereneblue/chameleon/issues/201

Thank you for your hard work! I really appreciate it!

[sereneblue]

Thanks for pointing out the dwell time! At the moment, the delay is anywhere from 0 to the value specified by the user (default is 20ms). A minimum value does makes more sense. I'll have to do some more research.

[sereneblue]

@cosmopol I've made some small updates to this feature. It'll be in the next update, ETA next week.

• The minimum time between keystrokes is now 30ms instead of 0. That means the delay in between keystrokes will be anywhere from 30ms to [30 + your delay]ms.
• The dwell time (keydown event) is now protected.

The inputs on the ebay site area are protected. Depending on your configuration, you may not notice the delay. To verify that's it's working, try using a large value (1000), refresh the page and enter text in the field.

I've tested the new changes against https://www.keytrac.net using a 40ms delay and was able to achieve a really low match score. You won't be able to verify this using the official releases of Chameleon because textareas aren't protected.

If you're curious and want to test it yourself, follow these steps:

• Download the source code of Chameleon and extract to a directory.
• In the file src/js/lib/protectKB.js replace e.target.nodeName == 'INPUT' with e.target.nodeName == 'INPUT' || e.target.nodeName == 'TEXTAREA'
• Go to about:debugging in Firefox and click Load Temporary Add-on and select manifest.json inside the src folder.

Once you're done testing, remove Chameleon from Firefox. Your existing installation will be preserved.

[cosmopol]

I have not tested it manually yet, but I assume that you are referring to the "Commits on Sep 2, 2019", thus the stuff should already work. I have to disappoint you. It does not work reliably either on https://www.keytrac.net/en/tryout or on any other website. There is virtually no delay, e.g. search results are handed out immediately, so right now I seem to see the missing protection in real time.

I have tried to turn off all Firefox add-ons except for Chameleon, but with no success for far.

I have to admit that I tend to heavily modify Firefox (especially with fingerprinting and services like Google Safebrowsing and Mozilla Shavar in mind) by using the "about:config" screen.

It would be best if you told me how to provide you with the necessary debug data. Everything else would be costly guesswork.

Again, thank you for making the world a better place!

[cosmopol]

PS: Chameleon - protect keyboard fingerprint is set to 1000ms

[cosmopol]

...Enable script injection is on

[sereneblue]

Hi @cosmopol,

It seems in my excitement to get this issue closed, I missed a typo that caused this feature to not work properly. I'll be doing a rewrite of the existing tests to catch these type of issues for v0.20.0.

If you want to try it on keytrac.net, you'll need to manually load a modified version of Chameleon, as mentioned in my previous comment.

Please let me know if this feature still does not work in v0.12.15.

[cosmopol]

You have basically reverted the functionality to the state before our discussion. Most AJAX windows and simple things like the Firefox search bars are still unprotected. The default pause does not change detection reliability for the algorithms just could detect that floor value (we are talking big data and governments here). You should make sure that your RNG is reliable. Please introduce iterative RNG calculations with chaotic systems, like mouse movements - never keystrokes (Do not use ready-made RNG APIs either, they are known to be 'influenced' by NSA&Company). It is the dynamics of the keystrokes that matter most, not fixed contraints between them.

[sereneblue]

By Firefox search bar, I'm assuming you're referring to the search bar that is part of Firefox's UI? WebExtensions don't have the ability to do anything to it.

Chameleon isn't designed to protect you from governments. If your threat level is that high, you should not be using any extensions or have JS enabled. Unfortunately, I don't have the qualifications to roll my own RNG. Chameleon's keyboard fingerprinting protection is designed to protect you from some attacks, not everything. I'm not sure what you mean by AJAX windows (popups?), but I believe Chameleon's injection should cover that too. If not, that's definitely an area I'll take a look at.

I suggest blocking JS if you're concerned with keyboard fingerprinting. NoScript can also get you pretty far if you're a pragmatist.

[cosmopol]

OK, I get it. This project is not meant to be seriously protecting privacy. It's just a hobby, a code experiment etc. I therefore have to assume that the rest of the code, apart from input devices tracking protection, is designed similarily. I do not have the time to question and redo everything. Forking this project for instance is just to much for me. Let me know when you plan on creating a really spying-proof Firefox add-on and I will try to assist you to the best of my knowledge. Anyhow, thank you for your time. Have a nice one. :-)

[sereneblue]

OK, I get it. This project is not meant to be seriously protecting privacy. It's just a hobby, a code experiment etc. I therefore have to assume that the rest of the code, apart from input devices tracking protection, is designed similarily. I do not have the time to question and redo everything. Forking this project for instance is just to much for me. Let me know when you plan on creating a really spying-proof Firefox add-on and I will try to assist you to the best of my knowledge. Anyhow, thank you for your time. Have a nice one. :-)

Have a nice one as well. I hope you can find your what you're looking for!

[cosmopol]

No, I do not believe that I am being especially targeted by the Government, in fact everyone is. The classical mafia might also already have jumped abord, but nobody knows exactly and nobody really cares. :-)

I have found some critical flaws with software, like yours. Most often metadata, font and device fingerprinting protection is done incorrectly, but you do not need to be a geek to find that out. There are a lot of resources online. Therefore maybe you should add 'beta' or 'experimental' to your project's name?

There are universal keyboard and fontset masking drivers for Windows, all fairly complicated, haven't bothered yet. Linux seems best for privacy. I don't need Firefox here at all. Anyhow, I want an easy way for everyone to be able to find shelter in terms of freedom and democracy. That's why I comment here.

A simple start to a TRNG could be realised by carefully sensing parts of the mouse coordinates and seeding a RNG with it. More coding is better though, but right now a RNG that does not break all the time would be a great start.

Do not take it personally. OK, now I will not bother you anymore with my nagging. Don't get me wrong. I really appreciate your efforts - everyone does for sure - but you act like a castle lord that doesn't mind leaving a few fortification gaps open. The defender needs to keep all gaps closed at all times, whilst the attacker only needs to open one gap once. Shitty game, I know, but this how it is played. Got it? :-)

See you.

[sereneblue]

Therefore maybe you should add 'beta' or 'experimental' to your project's name?

I think the version number of Chameleon implies that it'll always be a work in progress.

Anyhow, I want an easy way for everyone to be able to find shelter in terms of freedom and democracy. That's why I comment here.

I don't use telemetry to collect information about the most used features of Chameleon but I'm inclined to believe that even among users who do value privacy, there aren't many who are willing to go as afar as to implement a delay between each keystroke. There's a balance that has to be made between usability and effectiveness.

Do not take it personally.

I'm not. I appreciate the civil discourse and understand where you're coming from. I just take a more pragmatic approach when it comes to privacy. :)

but you act like a castle lord that doesn't mind leaving a few fortification gaps open.

I understand some users believe that Chameleon doesn't do enough. For those users, I suggest a Stallmanesque approach, disable Javascript, or use NoScript.

Chameleon is an open source project that anyone can contribute to. I have other responsibilities and work on Chameleon when I can. If you truly have a need for perfect spoofing, a WebExtension is not what you should be looking for. Implementing hacks via a limited API for things that could be handled at the browser level will always be suboptimal.