[IshKebab]

Given that it's been available in Chrome for 7 years, if there were any security and privacy concerns we should be able to point to at least one abuse of this API right?

[eqvinox]

I'd say predicting instances of abuse of this API is tied to usage of the API, not existence of the API. I'd argue it's extremely generous to say we'd see a case of abuse after 10 deployments of this API. Can we point to at least 10 deployments of this API?

[Ed.:] https://github.com/webusb/awesome lists applications using this API. It's 11≈14 depending on how you count. Most of them are pretty fringe, except arguably the 3 update/flash tools and maybe the Android mirror.

I'm not sure I'd expect to have seen a case of abuse here yet.

[IshKebab]

That doesn't make any sense. The API is available for abuse independently of how many legitimate users there are.

Or are you thinking only about attacks where the attackers have a genuine reason to ask for USB access? Because IMO that is going to pretty rare, and also not very interesting because in those cases the alternative is you download an executable with unlimited permissions.

But in any case it makes no difference. If the API has been available to 75% of users for 7 years, it's downright idiotic to think making it available to 77% of users will make a difference.

[eqvinox]

I'd argue that:

- a large part of privacy issues only exist under legitimate use cases

- a comparatively smaller but still relevant part of security issues would involve attacking (e.g. code injection) a legitimate web application (which the user may already trust) as a first step, and progressing from there

- the fact that such few genuine use cases exist makes users much less likely to accept any illegitimate use, since it will be a permission request box that they have never seen before and haven't been desensitized to