[ocdtrekkie]

This is a technical view, not a human-centric view. There is absolutely a level of warnings that will generally work. Not always, but I've found a number of people in the process of being socially engineered trip up on the UAC prompt and become more suspicious, to the point of booting a scammer out of their PC... and calling me. Likely because of the full-screen effect design and the short, but relatively scary language of the prompt.

You've posited effectively that if we cannot stop people from compromising their computer we should not bother to try. Either let them be owned with a trivial popup and a single press, or remove their agency entirely.

However, a better approach to security would be to take responsibility for designs that allow easy compromise, and build systems designed to drastically reduce the likelihood a user compromises their machines.

We can't stop people from finding a shady installer for a driver on a file sharing site hosted in Russia and running it, but we can make 99% of people less likely to do it with good design.

[taviso]

Web USB can realistically improve security for billions of people globally. It will improve security for me and my family, and we're all humans.

Sure, it's not a magic a wand that solves all problems, or makes malware disappear. I wish it did, but the fact that it doesn't is not a good reason to reject it.

It's deployed to billions of people globally, can you show me any evidence at all that there is any Web USB social engineering happening?

[dmitriid]

https://www.wired.com/story/chrome-yubikey-phishing-webusb/

Immediately after WebUSB shipped in Chrome: "security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google's Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo".

The fact that fishing (and fingerprinting etc.) isn't reported widely doesn't mean it doesn't happen. After all you trust Chrome to properly implement everything and take care of things. And yet here's an example of a different hardware standard, WebMIDI: https://twitter.com/denschub/status/1582730985778556931 (note the comment: "Chrome still allows web developers to enumerate attached MIDI devices without user consent or even a notification")

[taviso]

The attack here was that if you get tricked into giving a phishing site your password and Web USB access to your U2F key and then you press your U2F key, then the attacker can bypass the 2FA. I highly doubt this ever happened in real life, it was just a proof of concept.

In my opinion, the Chrome team overreacted and blocked all WebUSB access to any U2F/HID device.

Now if you want to update the firmware or configure your key you need to download an .exe and run it instead, which seems unfortunate to me.

If the phisher had said "Your U2F firmware is out of date, please download and run this update to continue", would that have been a vulnerability? That could also bypass 2FA (or anything else, for that matter).

[ocdtrekkie]

That is a trivial phishing path. In fact, the phishing site could easily justify that process as being required for security! "We need access to your YubiKey to use it to sign you in" seems extremely plausible.