Hacker News new | ask | show | jobs
by repelsteeltje 1002 days ago
WebUSB is actually a W3C open standard. For instance, the BBC:MicroBIT educational dev environment runs in a web browser and allows python code to be pushed to the microcontroller straight from the browser.

https://developer.mozilla.org/en-US/docs/Web/API/WebUSB_API

Isn't that neat?! Well, it could be, as long as you browser didn't allow this to be used, probed or even enumerated without explicit consent.
2 comments
chrismorgan 1001 days ago
> WebUSB is actually a W3C open standard.

This is misleading at best. Here’s what the actual spec says <https://wicg.github.io/webusb/>:

> This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.

It’s an experimental spec by Google (observe the affiliation of the three editors: all Google); Mozilla has adopted a negative position on it <https://mozilla.github.io/standards-positions/#webusb>; WebKit has not remarked upon it.

link
lxgr 1002 days ago
To my knowledge, no browser allows any usage of WebUSB without a prompt.

WebAuthN is different, since it does not provide sites low-level peripheral access – WebAuthN and CTAP have been designed for specifically this environment and go to great lengths to make fingerprinting hard.

As long as you don’t actually use an authenticator on a site to store a credential, it won’t be able learn anything about it.

link
repelsteeltje 1001 days ago
Not sure about this, but I think from JavaScript you can absolutely probe stuff without explicit user consent. For instance, without accessing any USB device I can try:

  if(!navigator.usb) {
    console.log("learned that browser does not have USB capability");
  } else {
    console.log("learned that browser has USB capability");

    navigator.usb.getDevices().then((devices) => {
      devices.forEach((device) => {
        console.log(device.productName);
        console.log(device.manufacturerName);
      });
    });
  }
(Which is useful for fingerprinting.)
link
nolist_policy 1001 days ago
Okay, so you can learn that Chrome supports WebUSB and Firefox doesn't. But you already knew that from the User-Agent header...
link
repelsteeltje 1001 days ago
Hahah, so you think. But now you have additional telemetry to show that this wasn't cURL forging a Chrome (or Firefox) user-agent header.

Finger printing sounds sophisticated, but it's just collecting the bits and pieces into something that (mostly, probabilistically) identifies you. And then tracking you, surveilling you till you're somewhere where they can identify you.

From there: profit!

link
lxgr 1001 days ago
> this wasn't cURL forging a Chrome (or Firefox) user-agent header.

There must be a million different ways to establish that, though.

I get the general idea, but this particular data point seems highly correlated with just the family of browser, as GP suggests.

It's also very easy to fix – just make your non-WebUSB-supporting browser expose that object, but always behave as if the user had declined that particular prompt.

link
repelsteeltje 1001 days ago
That still allows website to distinguish between webUSB-aware clients and older browsers. The point being, that it would be great if extentions like WebUSB were developed such that nothing about capabilities could be learned without the users' awareness and explicit consent.

Unfortunately, instead, new capabilities are added to browsers constantly and the interfaces commonly are silently made available as part of a regular software upgrade. Sure, thought is given to security and the user is prompted just before something horrible is about to happen (access camera, mic).

But don't underestimate the shitload of "niceties" in the grabbag of APIs that in aggregate reveal more or less a supercookie of your browser instance.

link