114
submitted 3 days ago by who@feddit.org to c/privacy@programming.dev
you are viewing a single comment's thread
view the rest of the comments
[-] Deebster@infosec.pub 16 points 3 days ago

It does not capture the actual keys being pressed, according to the company. It studies the timing and rhythm instead.

That is addressed in the article. Because it's JavaScript, we can verify this, and I'm sure that people will be scrutinising every revision of the code to check.

[-] treadful@lemmy.zip 20 points 3 days ago

Because it’s JavaScript, we can verify this, and I’m sure that people will be scrutinising every revision of the code to check.

Have you ever seen obfuscated JS? I'm not saying it's impossible, but de-transpiling it into something for a human then analyzing it is not trivial work.

Don't bet on something not being terrible just because someone with the skill could maybe spend a lot of time doing the work.

[-] canihasaccount@lemmy.world 5 points 3 days ago

Deobfuscators are fairly good IME. I haven't checked this code in particular, but I've never seen obfuscated JavaScript that was uninterpretable following deobfuscation

[-] treadful@lemmy.zip 1 points 3 days ago

Congrats on being awesome at code analysis. Have at it for everyone, then.

[-] pelespirit@sh.itjust.works 10 points 3 days ago

But you can tell what a person is typing by their timing and rhythm. I don't have time right now, but there are articles on that.

[-] Deebster@infosec.pub 10 points 3 days ago* (last edited 3 days ago)

True, people should search for "keystroke timing attacks". It's more effective if you include things like accelerometer data and audio.

We can see what Cloudflare's code is measuring and reporting to find out if those attacks would be possible.

this post was submitted on 13 Jul 2026
114 points (98.3% liked)

Privacy

4819 readers
275 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 3 years ago
MODERATORS