upvote

points

by zb322 hours ago |
comments
upvoteby Orygin21 hours ago|
next
[-]
> breaking computing for everyone else

How is not implementing a Draft spec, which may compromise security badly, breaking computing?

Overreacting much?

reply
upvoteby zb321 hours ago|
parent|
[-]
This is not just an isolated incident, it's the whole trend of limiting capabilities in the name of security and that's what I was referring to.

However in this particular case, even the security argument doesn't hold, either I:

a) know that I want to use USB - in that case I'll switch browsers or download a native binary (even more unsafe), it's not that I'd decide that I no longer want to flash my smartphone

b) I don't understand what's happening but I follow arbitrary instructions anyway - WebUSB changes nothing.

reply
upvoteby Orygin19 hours ago|
parent|
next
[-]
A native binary can be verified by anti malware systems, and once installed and working, poses no security risk.

A 0day in a browser for the WebUSB system would allow any website to mess with arbitrary USB devices connected to your computer.

While the browser sandbox is generally safe, it is also a huge target, and with a security risk like that, it wouldn't surprise me if it's a prime target for black hats.

reply
upvoteby skydhash21 hours ago|
parent|
prev|
[-]
So instead of using trusted vendors or requiring tools with auditable code, we just allow everyone to be able to access the user’s devices?
reply
upvoteby CamperBob220 hours ago|
parent|
[-]
What a concept. We could call it "Personal Computing."
reply
upvoteby skydhash19 hours ago|
parent|
[-]
Not really that personal when every webpage is itching to put their hands on it.
reply
upvoteby lpcvoid22 hours ago|
prev|
next
[-]
Fair, but remember that we are the <~1% of people who even know what webusb is. I'm not sure I share your view on this.

Maybe an about:config switch to enable it would be enough to stop casuals from pwning their peripherals.

reply
upvoteby barnabee21 hours ago|
parent|
[-]
I’d be ok with an about:config switch, but given that many people will install anything, paste arbitrary text into terminals, and share their password/pin code with complete strangers for almost no reason, I think we need to stop making our tools less powerful in pursuit of an impossible goal.
reply
upvoteby troupo21 hours ago|
prev|
[-]
> They can click everything away, so maybe

So maybe don't populate the browser with dozens of features requiring permission popups?

reply