[michaelt]

> Reason they state for not adding support it is that user consent is not enough to access the device, which is just nonsense,

There was a kinda major security issue [1] where malicious websites used WebUSB to access FIDO/U2F keys.

This was bad because U2F credentials are supposed to be impossible to phish, as the browser's U2F API puts the domain name in the request to the token - but by using WebUSB, a site could request a token for any domain name.

And as both U2F and WebUSB popped up quite similar looking user consent boxes, it's pretty much impossible to avoid some users getting confused.

Google's solution, believe it or not, was to blocklist a load of devices for WebUSB [2] - so now anyone making U2F devices has to get Google to add every new product they release to the blocklist.

Everyone loves the fact the browser is a secure sandbox, letting users run untrusted code. I don't get why people want to poke so many holes in the sandbox.

[1] https://www.yubico.com/support/security-advisories/ysa-2018-... [2] https://github.com/WICG/webusb/blob/main/blocklist.txt

[cosmic_cheese]

> Everyone loves the fact the browser is a secure sandbox, letting users run untrusted code. I don't get why people want to poke so many holes in the sandbox.

My thoughts precisely. I want browsers to be welding holes shut, not opening new ones.

I’d think differently if user consent were required to load any scripts past a certain complexity threshold (e.g. if they’re heavier than that of an early-mid 00s website, hold off on execution until the user approves), but with how easily users can be taken to sites they never asked to go to every added bit of deep system integration a browser gains is a massive liability. The web is too built up around the idea of implied consent to be doing anything too fancy.

[schmidtleonard]

If you weld my front door shut, I'm going to be upset with you.

"But welding your front door shut doesn't bother me at all."

Yeah, that's the problem right there.

[hot_gril]

What's the front door, WebUSB or something else like TLS 1.2?

[IshKebab]

I thought WebUSB required you to explicitly select a USB device from a list to allow the web page to connect to it?

[LeifCarrotson]

It does. Mozilla doesn't trust users to not be manipulated by malicious websites into doing so against their own interests. At GP link 2, Mozilla writes their rationale for concluding that WebUSB is bad:

> Because many USB devices are not designed to handle potentially-malicious interactions over the USB protocols and because those devices can have significant effects on the computer they're connected to, we believe that the security risks of exposing USB devices to the Web are too broad to risk exposing users to them or to explain properly to end users to obtain meaningful informed consent. It also poses risks that sites could use USB device identity or data stored on USB devices as tracking identifiers.

Personally, I'd be happy enough with an implementation of WebUSB that only worked with websites accessed over localhost or on the local network. I want to write data over USB to ESP32s and Teensys 3D printers and so on through an integrated local webserver.

[hot_gril]

localhost-only access is a reasonable compromise

[michaelt]

Right. The attack is:

1. You intend to log into an (evil) website using your Yubikey U2F token.

2. A popup appears that looks like this: https://developer.chrome.com/docs/capabilities/usb#get_acces... saying the website wants to connect to your Yubikey.

3. You click 'allow' because you do want the website to access your Yubikey. Then you press the button on the Yubikey when the light starts flashing, because that's what you do.

4. Your unphishable credential just got phished.

[IshKebab]

Ah that dialog is very ambiguous. I hope they changed it...

[xp84]

yeah, this sounds to me like apparently some people think once again computer owners can't be trusted to grant a permission to anything because some clueless people can be tricked into shooting themselves in the foot.

IMHO I don't buy that this is worth nerfing everything. Without using the exact analogy from the above metaphor, what if we banned cooking appliances, because a bad actor might call people and trick them into turning the stove up to "High" and placing a roll of paper towels on the flame?

I use the WebUSB to manage my keyboard's configuration, and that popup is hard to misconstrue. Also what is even the overlap between users of USB security keys (the main attractive USB target I saw cited) and people who click mindlessly without reading anything?

[michaelt]

Take a look at this browser popup box, asking the user to select which device to use for webauthn: https://filestore.community.support.microsoft.com/api/images...

Now take a look at this browser popup box, inviting the user to grant access for webusb: https://developer.chrome.com/docs/capabilities/usb#get_acces...

This isn't just clueless people clicking mindlessly without reading anything. The user wants to log in with their U2F key. They get a box asking if the website can access their U2F key.

Even if they read and understand every word in the box, consult their security training (which tells them "when you log in with a U2F key a box will pop up asking you to select a device, that's normal") the only indication they're doing anything wrong is that the device selection box looks a bit different to normal.

[bestouff]

> I don't get why people want to poke so many holes in the sandbox.

Because what's a sandbox to you is an universal API layer to some.

[gsich]

Imagine if those devices used proper USB descriptors/classes instead of generic HID device.

[hot_gril]

Google should've asked me first, cause just seeing the name WebUSB, I said "wtf why is this even a thing, absolutely no."

[hard_times]

Wait until you find out about WebBluetooth

[hot_gril]

At least I'm a little relieved that Firefox and Safari don't support that either.

[MrQuincle]

Wait until you find out about WebWifi

[SAI_Peregrinus]

I'm just waiting for someone to compile Chromium to WASM, giving us WebWeb.