[trustingtrust]

A while back I stumbled upon google chromes privacy settings and found things like serial port on your computer to be accessed by websites. Turns out google has thrown everything in the mix because they probably want their 'Chromebook' users like children in school to use motion sensors for convertibles to maybe play games via a browser. Websites are just taking advantage of these things. The chrome browser has ruined the internet.

[xyzelement]

The browser is essentially the operating system for most computing today so access to peripherals is reasonable.

My current job uses USB security keys and I assumed I'd have to configure them in the OS before the browser was aware of them -nope! Chrome knows if the key is in the USB port and can interact with it with my approval, which is exactly right.

The leap from access to USB to access to serial is minimal. As long as the right permission checks are in place.

[criddell]

> The browser is essentially the operating system for most computing today

You're right, and it's such a bummer. I often think about how interesting it would be if we didn't end up with the Chrome/Safari browser duopoly and Windows/macOS duopoly on the desktop and Android/iOS duopoly for mobile. How cool would it be to see what the Amiga, Atari ST, Spectrum, OS/2, BeOS, etc... could have become with another couple of decades development. Even Windows and macOS would probably be different if they had to compete in a healthy, diverse ecosystem.

Instead, further concentration is probably going to happen once Apple allows alternate browsers. At that point, there isn't much to stop Google's Chrome from becoming the only application platform that really matters.

[miki123211]

If we didn't have an OS duopoly, we'd have a programming language duopoly, GUI library duopoly or something of that sort.

It's just not reasonable to expect every company to maintain more than two or three completely different versions of their apps, and most would vastly prefer to maintain just one, hence Electron and React Native.

It would be a constant incompatibility hell, and most code would be littered with #ifdefs and polyfills.

You can argue that companies producing software tools would specialize, so you would use Microsoft image editing tools on Windows, Foo's image editing tools on Amiga, Adobe's image editing tools on Mac etc, but that argument breaks down when it comes to banks, movie and music streaming companies, games etc.

[Gud]

I think as software matures, we will settle on free software. We more or less already did server side.

Then it will be up to the OS maintainers to make sure the software is compatible with their operating system, like how it works with FOSS systems already.

A man can dream anyway...

[com2kid]

Working in the streaming media space, I can tell you what happens when there isn't a duopoly. It sucks.

Making an app means:

Android (and Android TV being more work), iOS, web, Roku, Fire TV, Tizen, Vizio, WebOS (LG), and multiple set top box vendors who all have horrible underpowered CPUs.

Some companies try do to cross platform, and that sort of works, but it is janky and customer complain of the sorts of UX issues that always pop up with cross platform apps, and for any decent functionality you end up writing per-platform shims. Also some platforms (Roku) you have to write an app for anyway because the platform requires using a custom language. Other platforms (Set top boxes) are so underpowered that you can't really run anything resembling modern code on them.

It sucks. It is a huge waste of engineering effort for no real gain. Most customers don't choose a smart TV based on its OS, a large % of people choose based on what is on sale at Costco, and another demographic chooses whatever they are told is "the best" by reviewers.

Mobile app developers dealing with a duopoly have it easy, but even that dramatically increases barrier to entry compared to the 90s where you just had to write one app for Windows and so long as you only used documented APIs, Microsoft would move heaven and earth to make sure your app kept working between major OS updates.

[echelon]

> Instead, further concentration is probably going to happen once Apple allows alternate browsers. At

Not if the DoJ forces Google to abandon Chrome. Which they should.

Apple and Google should lose their app store monopolies (including first party default preference), Google should lose the Chrome monopoly. These are incredibly harmful to technology and competition.

Each company has plenty of money, attached user base, and engineering headcount to continue to be wildly successful and profitable without operating in a way that damages the rest of the tech sector.

[j45]

I’d probably add WebOS to that list too even though it’s currently living on in LG tvs.

The idea of WebOS is strong enough it seems to have lived on through Palm, HP, LG and now also a forked version.

It really was late to the mobile os race, but ahead of its time.

https://www.webosose.org/docs/tutorials/web-apps/developing-...

And more generally:

https://www.webosose.org/

[ghusto]

It was so ahead of it's time, that I've _recently_ seen Apple and Google "invent" paradigms it was using all those years ago.

[j45]

Very true.

The designer of WebOS now works on asteroid too, though.

[criddell]

WebOS absolutely belongs in that list.

[dylan604]

>How cool would it be to see what the Amiga, Atari ST, Spectrum, OS/2, BeOS, etc..

But all of these systems did exist. And for whatever reasons, they did not survive in the market. So the market decided they were not what was wanted.

[ghusto]

> So the market decided they were not what was wanted.

No, the competition decided what they wanted, by using shady-as-shit (as well as out right illegal) tactics to squash everyone else.

People _loved_ their Amigas, STs, Be boxes, etc. They loved them so much that there are still some nutjobs out there trying to keep Amiga alive! Do you think there'd be that kind of devotion for Windows 40 years later, if it died around 3.1?

No, the users didn't choose. A loose hand on monopoly law did.

[smegger001]

How much of that was the market decision and how much was illegal anticompetitive practices that got Microsoft in trouble a few decades ago? Paying manufacturers that used them while penalizing this that made other OS's available, amongst other practices. Hell the only reason Apple is around today is Microsoft bailed them out so the could point at apple and claim in court there was a compatator and therfore were not a monopoly back in the 2000s

[yjftsjthsd-h]

Or the market remained irrational longer than they could remain solvent. It's an economic system, it's not omniscient.

[sirsinsalot]

People using invisible hand / the market decided arguments gloss over the fact modern capitalism is yet to produce truly fair markers without corruption.

If only it was as simple as letting buying power decide.

[ravenstine]

Is it really? Many people today seem to be living in a world almost purely of apps. Besides using The Google to find a piece of trivia, I hardly see anyone living in the browser to the extent that they are treating it like an OS in and of itself. If anything, the browser is seen as antiquated. The decision of browser makers to expose so many non-document APIs seems to not be closely connected to direct consumer demand for them.

[jowea]

How many of those apps are wrappers around a browser through?

[ravenstine]

Kind of doesn't matter since such wrappers routinely use native code or "plugins" to allow for behavior nonstandard to browsers, although your point is totally fair.

[octacat]

The only viable alternative to iOS/Android apps are web apps. Apple fights it by limiting number of features you can use in the browser on mobile phones and no alternative browsers. Google - by saying, ok, go with it, you will use tech, that we control anyway.

The current amount of hacks needed to make the native desktop apps compatible across even the same operation system, but different versions, is kinda scary. Pretty sure the similar situation for mobile apps too.

[Spivak]

Huh? But there's so much diversity in the desktop space. You have Windows/Mac, but then Debian/Rhel, Free/Net/OpenBSD, SteamOS, ChromeOS, Tails, NixOS, Qubes, Solaris Family, ReactOS and that's just the ones I've actually seen people use at conferences.

The browser space has never been more diverse as well, most of them use Chromium under the hood but who cares, Chrome was Webkit was KHTML when it started too. A browser's success is only somewhat related to its engine. Having a base you can build on that guarantees all current and future website will work and be performant on has allowed for crazy levels of experimentation.

[dorfsmay]

> most of them use Chromium under the hood but who cares

We should all care, because people start writing apps that work on Safari and Chrome only rather than to a standard. The web wasn't meant to be controlled by two companies, the idea was using standards anybody can implement.

Use Firefox and see what sites you are using regularly that doen't work because they are chrome sepcific.

[Spivak]

I've been Firefox only for more than a decade now (although tbf not on iOS) and I've still yet to find a site that straight up doesn't work. I've had some sites where I've had to tell it I'm using Chrome because of poor user agent sniffing but it's been a long time since that was necessary. Ahh Netflix when it still used Silverlight.

[dalke]

The site which lists available COVID vaccination times for this region of Sweden does not work in Firefox but does work in Safari: https://www.vgregion.se/ov/hitta-vaccinationstider-vgr/vacci...

I don't know the reason for the Firefox failure.

The Adobe site https://new.express.adobe.com/tools/generate-qr-code# says it does not work with Firefox, but if I change the User-Agent it does work.

I ran into both in the last month.

Your experience for most of that decade was when Firefox was much more widely used than it is now, so had a higher support priority.

[voidpointercast]

There are plenty; anecdotally, I run into them more than not.

[lxgr]

My bank is doing some security theater fingerprinting (instead of something actually secure, like 2FA, but that's a different story), which in the end means I can't login to my bank account using Firefox anymore these days.

[Dwedit]

Chrome/Safari isn't a duopoly, it's the same browser (Webkit).

[lxgr]

Not at all.

While they have shared origins, Chrome (Blink) and Safari (WebKit) have been going separate ways for quite a few years now.

[repelsteeltje]

WebUSB is actually a W3C open standard. For instance, the BBC:MicroBIT educational dev environment runs in a web browser and allows python code to be pushed to the microcontroller straight from the browser.

https://developer.mozilla.org/en-US/docs/Web/API/WebUSB_API

Isn't that neat?! Well, it could be, as long as you browser didn't allow this to be used, probed or even enumerated without explicit consent.

[chrismorgan]

> WebUSB is actually a W3C open standard.

This is misleading at best. Here’s what the actual spec says <https://wicg.github.io/webusb/>:

> This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.

It’s an experimental spec by Google (observe the affiliation of the three editors: all Google); Mozilla has adopted a negative position on it <https://mozilla.github.io/standards-positions/#webusb>; WebKit has not remarked upon it.

[lxgr]

To my knowledge, no browser allows any usage of WebUSB without a prompt.

WebAuthN is different, since it does not provide sites low-level peripheral access – WebAuthN and CTAP have been designed for specifically this environment and go to great lengths to make fingerprinting hard.

As long as you don’t actually use an authenticator on a site to store a credential, it won’t be able learn anything about it.

[repelsteeltje]

Not sure about this, but I think from JavaScript you can absolutely probe stuff without explicit user consent. For instance, without accessing any USB device I can try:

  if(!navigator.usb) {
    console.log("learned that browser does not have USB capability");
  } else {
    console.log("learned that browser has USB capability");

    navigator.usb.getDevices().then((devices) => {
      devices.forEach((device) => {
        console.log(device.productName);
        console.log(device.manufacturerName);
      });
    });
  }

(Which is useful for fingerprinting.)

[nolist_policy]

Okay, so you can learn that Chrome supports WebUSB and Firefox doesn't. But you already knew that from the User-Agent header...

[repelsteeltje]

Hahah, so you think. But now you have additional telemetry to show that this wasn't cURL forging a Chrome (or Firefox) user-agent header.

Finger printing sounds sophisticated, but it's just collecting the bits and pieces into something that (mostly, probabilistically) identifies you. And then tracking you, surveilling you till you're somewhere where they can identify you.

From there: profit!

[sznio]

>The browser is essentially the operating system for most computing today so access to peripherals is reasonable.

Sure, but the fact that browsers became operating systems is unreasonable in the first place.

[shawnz]

Why? Isn't the web basically the perfect fully virtualized and sandboxed environment with a highly standardized and open API and a sophisticated, accessible UI toolkit, with elaborate development tools built right in, like we always dreamed of? Isn't the web basically the perfect OS?

[JohnFen]

> Isn't the web basically the perfect OS?

I don't think so at all. Web-based applications tend to suck, and it seems to me that much of the reason is because the browser is very imperfect as an OS.

[nolist_policy]

And yet you are posting this on HN, which one could argue is a Web application.

And don't forget shopping online, there are a few small web shops out there with great UX.

And you can use 20 year old websites just fine, the web has great backwards compatibility too.

Web apps don't have to suck.

[JohnFen]

> And yet you are posting this on HN, which one could argue is a Web application.

I think if HN counts as a web app, then "web app" has no meaningful definition.

> Web apps don't have to suck.

Maybe, maybe not. All I know is that the ones I've used (and have to use at work) do suck.

[salawat]

>And yet you are posting this on HN, which one could argue is a Web application.

Which has 0 to do with the virtues of the Web as OS and much more to do with catharting the pain and frustration induced by sharing the digital world with people with shockingly bad points of view through acting in kind. A game nobody wins; alas...

[jjoonathan]

Yes, and most importantly: nobody owns it.

Sure, we all complain about Chrome and its outsized influence, but at the end of the day the standards are more open than not and Safari and Firefox mostly work most of the time on most of the pages. That's a stark contrast to, say, .NET vs Cocoa or Android vs Apple app stores.

[dylan604]

>mostly work most of the time on most of the pages

well, that sounds perfectly reasonable that only some pages are not standards compliant. :facepalm:

[jjoonathan]

"Comply or we will break your shit" works better in closed ecosystems. I'll take a little mess over a 30% tax and heavy-handed tempramental moderation any day of the week.

[jowea]

Not fully disagreeing, but the web feels more heavy on RAM and other resources than native software. Also, the only programming language being Javascript, which is just starting to sort of change with WebAssembly is also far from ideal. Some other stuff like storage is also comparatively recent AFAIK.

[shwaj]

If it were, then people wouldn’t bother writing native applications.

[realusername]

Seeing where the mobile world goes, I still prefer my browsers, at least I can modify the websites as I want.

Sure it's not great, but the alternatives are worse.

[didntcheck]

Not to mention the sandboxing. I'm glad a lot of the "apps" I use are just "webapps", so that I can trust them less. A user process on a desktop OS is given an insane amount of permissions by default, though this is being fixed, slowly

[realusername]

That's also a good point yes, the browser sandbox is the strongest that we know of.

[toastal]

If it’s proprietary, it can stay in they browser sandbox.

[_ea1k]

IDK, that seemed to be the vision even back in the Netscape days.

[PH95VuimJjqBqy]

That was always the end goal.

[denton-scratch]

> The browser is essentially the operating system

That's a fashionable observation; I think it's a kind of illness. The idea that you can take over anyone's computer, and make it do things the user doesn't want done, and doesn't know are being done, makes some web-developer's heads swim; they can turn the whole internet into a sort of distributed supercomputer for their own private use. WHATWG bears a lot of responsibility for this.

A real operating system doesn't download and execute code from unverified remote locations. Nearly every website nowadays tries to load and execute in the browser code from any number of remote locations, without the user's approval or even knowledge. By default, I only allow 1st-party JS, which I consider to be an extremely liberal policy.

[nolist_policy]

> A real operating system doesn't download and execute code from unverified remote locations.

Sorry, but that is pretty much the standard way to install apps on windows.

That the browsers execute untrusted code all the time and still are secure is an advantage of web technology.

[skydhash]

> Sorry, but that is pretty much the standard way to install apps on windows.

Maybe now, but when I was on XP and, later, Windows 7, you only had a handful of software you would use (I have all of them on a CD, and later on an HDD). Things like VLC, Notepad++, Codeblocks, Office, and others. It requires trust, but these programs did not phone home, AFAIK, every second. That's what we lost, trust in our computer and the software programs running on it. And now, it is a hostile relation between customers and software developers. I wasn't concerned about VLC tracking the file I opened with it, or Office scanning my documents.

[denton-scratch]

> That the browsers execute untrusted code all the time and still are secure

But they aren't secure. Most of that untrusted code is doing stuff that's of no value to the user, and is positively against the express interests of many users.

[j45]

> The browser is essentially the operating system for most computing today

The browser is more of a universal user interface than a universal OS.

Of course something like chromeOS/ChromiumOS is an OS what boots directly into a browser, but it’s not a universal interface.

Maybe WebOS was a step in that direction being a mobileOS that was all html and JavaScript.

Screenshots: https://www.webosose.org/docs/guides/getting-started/webos-o...

https://www.webosose.org/docs/tutorials/web-apps/developing-...

[JohnFen]

> The browser is essentially the operating system for most computing today so access to peripherals is reasonable

I suppose. Not for me, though, as I don't (and won't) use web apps or complex websites. I sorely wish there was a browser that simply didn't have that capability.

[afavour]

I guess I don’t know how you got from A to B there. I love the idea of kids being able to experiment with serial ports (though I’m not sure what you mean in that context, WebUSB?) in a safe, locked down programming environment.

Ideally it wouldn’t mean random web sites request motion data from you but I really don’t see this as ruining the internet.

[jeroenhd]

Webserial let's Home Assistant users flash their ESPHome devices without downloading or compiling any software. WebUSB let Google update my Stadia Controller to a normal controller after they shut down their cloud services. It also offers firmware updates for some Pixel phones.

These are all quite useful tools. I've never used WebMIDI but it's older than the other Web* APIs. When you have a use case for them, the APIs are a lot better than figuring out a cross platform serial port protocol (or, more realistically, writing a Windows application and letting the Linux/macOS/Android users figure it out themselves).

WebSerial/USB/Bluetooth doesn't do anything unless you permit it to. If websites used this feature, you've clicked "okay" when mapquest.com asked to use your serial port.

[kody]

My students were able to program Arduino devices from their Chromebooks because of this tech. That would have been inaccessible to them if they had to use a "real" OS, which the school did not provide.

[skydhash]

A failure of the school, then.

[markdog12]

You have to explicitly grant permission for a site to use a serial port.

[panki27]

And it can be rather practical. I've flashed firmware onto some devices using an online tool.

[deepspace]

The existence of the Web Serial API is a godsend for working with many embedded devices. The ability to flash a device directly from the web instead of futzing around with a commandline tool feels like magic.

Unfortunately, Mozilla decided that this (and other related functionality) is "harmful". https://mozilla.github.io/standards-positions/#webserial

It is a shame, because the overlap between people who use Firefox as their main browser, and people who tinker with microcontrollers is likely pretty large.

[jeroenhd]

Serial ports are everywhere and these APIs can provide quite a lot of fingerprinting capabilities.

I understand why Mozilla is hesitant. "Why does a browser need to give access to a serial port" is a good question. Certain web tools have definitely proven useful (especially when using an Android device to flash microcontrollers!) but if you asked the average internet user 20 years ago if their browser should provide websites with access to their serial ports, you'd get laughed at.

I hope Mozilla reconsiders their positions on this, because this is just one of those reasons I keep Chrome installed. I need it very rarely, but when I do, it's often because Mozilla made a choice I disagreed with (like their decision to remove anything resembling PWAs on desktop Firefox, which is why I have a bunch of Chrome shortcuts in my application launcher now).

[markdog12]

> "Why does a browser need to give access to a serial port"

Why does a program need to give access to a serial port?

> if you asked the average internet user 20 years ago if their browser should provide websites with access to their serial ports, you'd get laughed at

What if you included "Only if you allow it"?

[jeroenhd]

Web browsers used to be about websites, not applications. That's my point. It took years even after Gmail discovered the XmlHttpRequest for in-browser HTML applications to even become a thing people would just use.

> What if you included "Only if you allow it"?

You'd probably hear something like "IE/Opera is bloated enough already", I just want my downloads to finish faster.