Announcement

Collapse
No announcement yet.

Chrome 61 Beta Rolls Out With JavaScript Modules, WebUSB Support

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Looks like the tinfoil hat brigade is out in full force again.

    Some points on WebUSB:

    - Permission is not generally granted. Devices have to whitelist domains.
    - Closing the associated web application will also close the command stream, thus this is already much more secure than the local driver software model.
    - Sites utilising WebUSB run inside a sandbox. They cannot access other sites/cross domain resources or gain access to devices connected to another domain.

    https://medium.com/dev-channel/the-w...l-f48ee04de0ab

    Comment


    • #12
      Oh Jeebus... what scares me is the idea of a unified cross-browser Social Media Sharing API.

      If you think the NSA has its hands in every nook and cranny of your life already, imagine what their reach will be like with a unified backdoor to all your contacts and content everyone you and those you know have every posted on these networks. I thought it was bad enough when they could easily access your email and browsing habits, monitor your SSL traffic, and monitor your TOR activity. The only thing giving us a modicum of privacy was the work involved in hacking a bazillion heterogenous sharing standards. Now they'll have that in their back pocket too. Welcome to 1984 folks.

      Comment


      • #13
        Originally posted by unixfan2001 View Post
        Looks like the tinfoil hat brigade is out in full force again.

        Some points on WebUSB:

        - Permission is not generally granted. Devices have to whitelist domains.
        - Closing the associated web application will also close the command stream, thus this is already much more secure than the local driver software model.
        - Sites utilising WebUSB run inside a sandbox. They cannot access other sites/cross domain resources or gain access to devices connected to another domain.

        https://medium.com/dev-channel/the-w...l-f48ee04de0ab
        And don't forget that all of that is only true so long as there's no privilege escalation exploits. cve.mirte,org has (ahem) one or two examples of that. Paranoia isn't unhealthy - it's sane. Your default settings should be to trust no-one, and then only trust what you can afford to lose to those you can reasonably trust to make sharing worth your while per risk/reward. If you put your eggs into the basket of believing in security models, without looking at the history of failure of security model implementations, social engineering, and simple user negligence, then you are doomed to loss/failure. If a tinfoil hat helps remind you of those things, or helps you behave similarly to how you must if you were cognisant of the real threats in the world, then more power to you. I pity the fool who thinks otherwise, and I despise the fool that mocks others for doing what they must to be safe at their level of competence.

        Comment


        • #14
          Google (or Mozilla) continue adding useless features(or used by 0.01% ) to their browsers, risking compromising even more whole system security. Instead of solving main issue of browsers worldwide which is memory-hog problem, memory leaks in general.
          First links showed by search engines for memory hog(s) are about ... Google Chrome/Mozilla Firefox biggest memory hogs, with a memory footprint bigger than a large virtual machine or an Oracle SGBD instance. And this behavior is unexcusable in 2017.
          Last edited by onicsis; 16 August 2017, 05:22 AM. Reason: Hmmm 😏, 😏

          Comment


          • #15
            "Inherent threats: Theft of sensitive data - Device compromise (mounting of device USB filesystem)" https://wiki.mozilla.org/WebAPI/Security/WebUSB

            "This is also probably the last thing we need to replace the OS with browser." LOL https://bugzilla.mozilla.org/show_bug.cgi?id=674718

            Comment


            • #16
              Originally posted by clockley1 View Post

              Why would WebUSB any less secure than WebGL? Unlike GPUs, USB devices cannot access system memory. Making a whole class of exploits moot.
              It requires your USB devices to all be net-safe. Originally WebGL had security holes as well until the drivers and in some cases the GPUs were fixed to not be vulnerable.

              Comment


              • #17
                Originally posted by [email protected] View Post

                Thanks for that. I just got to the flags page and disabled it.
                I think the point is that previously extensions could do this, but remote web-pages could not. In any case while U2FA is hacky, it is a lot safer than WebUSB in general, because at least those USB devices have been designed for that purpose. The main problem I have with WebUSB are 99.999% of all USB devices have been designed without having to fear remote hostile attacks.

                Comment


                • #18
                  Originally posted by linuxgeex View Post
                  Oh Jeebus... what scares me is the idea of a unified cross-browser Social Media Sharing API.

                  If you think the NSA has its hands in every nook and cranny of your life already, imagine what their reach will be like with a unified backdoor to all your contacts and content everyone you and those you know have every posted on these networks. I thought it was bad enough when they could easily access your email and browsing habits, monitor your SSL traffic, and monitor your TOR activity. The only thing giving us a modicum of privacy was the work involved in hacking a bazillion heterogenous sharing standards. Now they'll have that in their back pocket too. Welcome to 1984 folks.
                  It's a sharing API. It's super simple and there's not a lot you can do with it. Less than with some old browser extensions, in fact.
                  Most of the more powerful stuff of that particular API has been removed ages ago. Including chat and video functionality.

                  It's also incredibly transparent. It basically lets the user opt in to every provided Social API provider and then a button is added to the social panel.
                  Been in Firefox for quite some time already, albeit somewhat hidden (accessible by going to https://activations.cdn.mozilla.net/...harePanel.html)

                  Comment


                  • #19
                    Originally posted by carewolf View Post

                    I think the point is that previously extensions could do this, but remote web-pages could not. In any case while U2FA is hacky, it is a lot safer than WebUSB in general, because at least those USB devices have been designed for that purpose. The main problem I have with WebUSB are 99.999% of all USB devices have been designed without having to fear remote hostile attacks.
                    Did you miss the point where this will, in fact, only work with USB devices designed specifically for that purpose?
                    It's for things like Weblight, not general USB device access.

                    Comment


                    • #20
                      Originally posted by clockley1 View Post
                      Why would WebUSB any less secure than WebGL? Unlike GPUs, USB devices cannot access system memory. Making a whole class of exploits moot.
                      Do you know for a fact WebGL can access system memory or are you just assuming that? I get the impression it is a layer abstracted from direct OpenGL, which ought to prevent low-level hardware access.
                      USB devices are just as dangerous. Think keyloggers, webcams, flash drives, etc.
                      Last edited by schmidtbag; 16 August 2017, 11:04 AM.

                      Comment

                      Working...
                      X