upvote

points

by gear54rus23 hours ago |
comments
upvoteby yjftsjthsd-h21 hours ago|
next
[-]
Are you calling WebUSB a basic feature? Because I'm willing to discuss whether we should have it, but that seems like an exaggeration.
reply
upvoteby lpcvoid22 hours ago|
prev|
[-]
How do you make sure that technically illiterate people don't just click away the requestDevice() popup? IMHO a browser offering device level USB access is a security nightmare and there is no way this can ever be made safe and convenient at the same time.
reply
upvoteby limagnolia22 hours ago|
parent|
next
[-]
Isn't that the same excuse Gooogle is using to lrevent folks from installing what they want on Android phones?
reply
upvoteby baby_souffle22 hours ago|
parent|
next
[-]
Essentially, yeah.
reply
upvoteby skydhash21 hours ago|
parent|
prev|
[-]
I do not agree with Google on preventing apk installation. But unknown apk is a different risk profile than letting unknown entities to access local usb devices.

The main issue in the former case is that google is posing itself as a gatekeeper instead of following a repo model like Debian or FreeBSD. That’s wanting control over people’s device.

Allowing USB access is just asking to break the browser sandbox, by equating the browser with the operating system.

reply
upvoteby exe3422 hours ago|
parent|
prev|
next
[-]
You can ask them to type one of the following sentences:

"I know what I'm doing, and giving a random website access to my USB host is the right thing to do."

"I'm an idiot."

reply
upvoteby jayd1620 hours ago|
parent|
[-]
I love this because the idiots would type out that they know what they're doing and the pros would save time by typing "I'm an idiot."
reply
upvoteby exe3419 hours ago|
parent|
[-]
hah I did think of the second one, but the first didn't occur to me.
reply
upvoteby gear54rus22 hours ago|
parent|
prev|
next
[-]
You simply don't. This quest of saving idiots from themselves is not gaining anyone anything and meanwhile other people get more and more useless restrictions.
reply
upvoteby Orygin21 hours ago|
parent|
[-]
Or you can just not give a loaded shotgun to every browser user on the off chance they need to interact with 1 (one) usb device per year.
reply
upvoteby leptons15 hours ago|
parent|
[-]
Or you can just not use the web at all. If you're so scared of it, why are you using it with browsers that have implemented all kinds of APIs that probably already scare you? You may as well just use the Lynx browser if you really want want to put your money where your (security) mouth is. It doesn't do anything, not even display images or CSS or run Javascript.
reply
upvoteby mvdtnz8 hours ago|
parent|
prev|
next
[-]
I'm tired of my computing being kneecapped in service of incompetent boomers. Enough is enough. If they're going to fall for dumb scams let them.
reply
upvoteby zb322 hours ago|
parent|
prev|
[-]
They can click everything away, so maybe educate them or buy an ios device for your relatives instead of breaking computing for everyone else.
reply
upvoteby Orygin21 hours ago|
parent|
next
[-]
> breaking computing for everyone else

How is not implementing a Draft spec, which may compromise security badly, breaking computing?

Overreacting much?

reply
upvoteby zb321 hours ago|
parent|
[-]
This is not just an isolated incident, it's the whole trend of limiting capabilities in the name of security and that's what I was referring to.

However in this particular case, even the security argument doesn't hold, either I:

a) know that I want to use USB - in that case I'll switch browsers or download a native binary (even more unsafe), it's not that I'd decide that I no longer want to flash my smartphone

b) I don't understand what's happening but I follow arbitrary instructions anyway - WebUSB changes nothing.

reply
upvoteby Orygin19 hours ago|
parent|
next
[-]
A native binary can be verified by anti malware systems, and once installed and working, poses no security risk.

A 0day in a browser for the WebUSB system would allow any website to mess with arbitrary USB devices connected to your computer.

While the browser sandbox is generally safe, it is also a huge target, and with a security risk like that, it wouldn't surprise me if it's a prime target for black hats.

reply
upvoteby skydhash21 hours ago|
parent|
prev|
[-]
So instead of using trusted vendors or requiring tools with auditable code, we just allow everyone to be able to access the user’s devices?
reply
upvoteby CamperBob220 hours ago|
parent|
[-]
What a concept. We could call it "Personal Computing."
reply
upvoteby skydhash19 hours ago|
parent|
[-]
Not really that personal when every webpage is itching to put their hands on it.
reply
upvoteby lpcvoid22 hours ago|
parent|
prev|
next
[-]
Fair, but remember that we are the <~1% of people who even know what webusb is. I'm not sure I share your view on this.

Maybe an about:config switch to enable it would be enough to stop casuals from pwning their peripherals.

reply
upvoteby barnabee21 hours ago|
parent|
[-]
I’d be ok with an about:config switch, but given that many people will install anything, paste arbitrary text into terminals, and share their password/pin code with complete strangers for almost no reason, I think we need to stop making our tools less powerful in pursuit of an impossible goal.
reply
upvoteby troupo21 hours ago|
parent|
prev|
[-]
> They can click everything away, so maybe

So maybe don't populate the browser with dozens of features requiring permission popups?

reply