“The speed at which you type different letters betrays some information about which letters you’re typing. So ssh sends lots of ‘chaff’ packets along with your keystrokes to make it hard for an attacker to determine when you’re actually entering keys.”
A game developer noticed SSH was eating 50% of CPU. Discovered keystroke timing obfuscation, a security feature added in 2023 that floods the connection with decoy packets. It’s a real attack vector. Typing cadence can leak passwords. But the implementation is invisible to users and has real performance costs. The fix required forking Go’s crypto library to disable the feature. Security vs. performance tradeoffs are everywhere. They’re rarely this hidden.