- i made a demo website based on a paper i read (trampert et al)
- it uses webassembly for most but some can probably be swapped to only javascript
- it also tries to detect tails, kloak, mouse polling rate, clock skew, tor circuit ping floor and a few more things
- it’s a static website so you can use it without internet if you’re concerned
2 Likes
Very interesting. I don’t immediately know what all of the stats are measuring, but it looks like it may be useful. I believe the paper you’re referencing is:
https://www.researchgate.net/publication/367585237_Browser-Based_CPU_Fingerprinting
Did you have any success getting a fingerprint based on keyboard and mouse biometrics despite the use of Kloak? (I’m particularly interested in that since I did most of the work rewriting Kloak for enhanced mouse input anonymization for Whonix 18.)
1 Like
enabling ftz/daz before launching tor browser stops the stall test from working. that was the only real javascript-only test. but i have a new test that works perfectly in safer mode (wasm and jit disabled). i can dm if that’s a feature on here. in safest mode, a heavy css timing test can likely test for gpu acceleration and general speed of cpu. but that’s about it from what i’ve tried.
yes that’s right.
i have something akin to typenet for keyboard biometrics but i don’t have any samples to test it on. not super web friendly. but using behavioral characteristics is simple enough:
- page navigation using scroll wheel, page up and down keys, arrow keys
- input navigation using arrows, ctrl arrows, clicking
- capital letters using caps lock or shift key
- copying by right click or ctrl c
- use of ctrl f
- selecting paragraph by drag, triple click, shift click
- selecting paragraph while reading
- clicking or selecting where no elements are
- typos on which key
- typing speed
- if mouse movements happen while typing
then, of course stylometry. i’ve been in conversation with someone says using on-device llms for anti-stylometry and exclusively pasting its output is the way to go. but when they use it to talk with me, the outputs aren’t always coherent. that would stop most of what i’ve described.
It’s not.
(Private Messages)
Some features are broken.
- Secure level when accessing through the Chrome browser
- Cloak is always detected, even when I access the page from my phone…
it’s built for x86 tor browser exclusively. haven’t tested with mobile or other browsers.
javascript-only test for cache sizes by testing latency at different sizes. works in safer mode.
function cache() {
const sizesKB = [16, 32, 64, 96, 128, 256, 512, 1024, 2048, 3072, 4096, 8192, 12288, 16384, 20480, 24576, 32768, 49152];
const results = [];
const unrollFactor = 8;
const ops = 8_000_000 / unrollFactor;
for (let i = 0; i < sizesKB.length; i++) {
const sizeKB = sizesKB[i];
const numElements = (sizeKB * 1024) / 4;
const data = new Uint32Array(numElements);
for (let j = 0; j < numElements; j++) {
data[j] = (j + 10007) % numElements;
}
let ptr = 0;
for (let k = 0; k < 100_000; k++) {
ptr = data[ptr];
}
let start = performance.now();
while (performance.now() === start) { }
start = performance.now();
for (let k = 0; k < ops; k++) {
ptr = data[ptr]; ptr = data[ptr]; ptr = data[ptr]; ptr = data[ptr];
ptr = data[ptr]; ptr = data[ptr]; ptr = data[ptr]; ptr = data[ptr];
}
const end = performance.now();
results.push({
Size: sizeKB >= 1024 ? (sizeKB / 1024) + "MB" : sizeKB + "KB",
"ns": Math.round((end - start) * 1_000_000 / (ops * unrollFactor))
});
}
console.table(results);
}
cache();