[relate]

I would have thought the same. However instead of adding random latency, one could have a buffer, that only allows a couple of fixed output rates (eg, 150,160,...,300 CPM), when typing. This would probably be quite annoying to type on though :-)

[p4bl0]

Yes, making it appear constant is the only real solution, if the attacker has access to multiple traces and is able to use some statistical tools.

But this still suppose that the attack is carried over the network. If the attacker can, e.g., monitor the electrical activity of the physical keyboard, then it's another thing entirely.

[amelius]

The best solution would probably be to have the HTML input field not fire events for key down.

[imagist]

It's fairly easy to create a div which behaves the same way as a HTML input field, and there are other ways. Ultimately I think you'd have to not fire key events, period.

[mjevans]

Agreed, you'd have to fire string input rates, and defer the underlying update until either enough buffer has entered to warrant a mid-point sync, or input has paused for a decent length of time. (say 10s)

For 'hardened' browsers I'd recommend a visual indication of this timeout (a pie chart which completes like a clock at a fixed rate while paused is the first concept that I think of).