I-cant-believe-its-not-webusb: Hacking around lack of WebUSB support in Firefox
259 comments
·March 14, 2025franga2000
ocdtrekkie
I agree. One of the biggest things people don't understand is that most users simply don't understand what they're doing, and Google does not understand how to design software safe for them. Annoying processes seem pointless but often they have a very clear point: Making sure intent is solid.
Apple recently implemented some web APIs in a strategy that shows they actually understand designing for people: The APIs only work if you "install" the website. It makes it possible to access useful PWA features... but it doesn't allow any arbitrary website to do so, there's an extra process normal humans understand to enable it.
An installed PWA is also persistently visible: It's on the homescreen. So it's a visible reminder of that permission grant and a clear sign of something a user wants to have some sense of access to them.
hackernudes
Quick summary.
Firefox does not support talking to arbitrary USB devices (whereas Chrome has WebUSB to do that). However, Firefox does support talking to U2F security keys over USB.
This project programmed a microcontroller to pretend to be a U2F security key. The goal was to talk to the microcontroller over USB through Firefox.
They use the Javascript Credentials APIs (https://developer.mozilla.org/en-US/docs/Web/API/Credential_...) and some cleverness to send data to and receive responses from the microcontroller.
sedatk
Yes, this isn't for accessing arbitrary devices. It can be used to build custom devices that can be used by webpages without any consent prompts though.
nine_k
But possibly this MCU's firmware can be expanded to serve a WebUSB lookalike of sorts?
owebmaster
so if I understood it right, Firefox is vulnerable to the problem they wanted to avoid but without giving us WebUSB?
kevincox
No, because the device they are accessing needs to be specifically built for this use case. So you would need to give the user a malicious device then use a malicious webpage. The attack scenario isn't impossible, but is far less then those that are possible with WebUSB.
contravariant
While not impossible, I just can't think of a good reason why you'd need them to access a malicious webpage when you've already gotten them to install a malicious device.
fhars
No, USB is vulnerable to malicious devices.
Aurornis
This comment section is a fascinating mix of people who use WebUSB talking about how great it is and people who don’t use WebUSB being confused about why anyone would want it.
In my experience it’s been great. Most of the WebUSB utilities I use are also available as self-installed apps, but I use them so infrequently that it’s much easier to use the web version than to go through the process of installing an update and using the app. It’s also one less app I have to install.
I would have expected this to be popular with the people who are tired of having an app for every different thing.
croes
I‘m more concerned about security by giving a webbrowser too much access to local resources.
Convenience and security don’t fit together
kccqzy
Yeah but if I need to talk to a local device, I trust browser's security far more than a random vendor's native app. I recently bought a keyboard that allows remapping keys; the vendor has both a native app and a web app to do it: I trusted the web app far more.
croes
So you don’t trust the vendor. Maybe using their hardware isn’t a good idea in the first place.
I think browsers are the bigger target and they provide the much bigger attack vector given that the purpose is being connected to the internet.
Using an internet tool to access local resources is using the wrong tool for the job.
moffkalast
Almost as if we've got some kind of notification that asks you if you want to give a browser access to a certain device huh?
croes
Because browser never have bugs.
wazoox
Yeah, except that someday the site that provide that useful app may be gone once and for all, while the app would remain just fine until you uninstall it. So it's a double-edged sword.
anon7000
The app they make would probably be Internet enabled with electron so… prolly also won’t work
paulddraper
Example: Purchasing shipping labels, and using a scale to weigh the physical items. (Technically that's HID not USB, but similar idea.)
tetris11
If you have a keyboard with QMK/Via firmware, customising it with WebUSB is a nightmare.
You essentially have to make one of your /dev/hidraw devices completely world readable (inviting all sorts of keylogging shenanigans) before the browser can interact with the firmware.
Its creepy beyond creepy in terms of usage, and offline customization tools are all Electron based so there's not much advantage.
One reasonable workaround is to construct your desired keyboard layout with a template json file on the website, download the resulting json and then flash the firmware to your keyboard via sudo-level flashing tool.
Still, I wish there was a less creepy way.
jeroenhd
> download the resulting json and then flash the firmware to your keyboard via sudo-level flashing tool
Several microcontrollers come pre-shipped with MicroPython and an emulated flash drive where you can drop Python code to alter the running main()
I imagine you could easily do the same with keyboards, except the FS throws an error when you're writing invalid JSON and the emulated FS has emulated security properties so only admin users can write to it. No need to sudo, just authorise the permission prompt when you download/copy the new config to the virtual flash drive.
cosmic_cheese
You could add a little hardware button or toggle switch to the board to enable/disable flash drive emulation if you really wanted to be secure. Write your config, unmount, flip toggle switch.
Springtime
> and offline customization tools are all Electron based so there's not much advantage.
Afaik it's only any Via support per se that the keyboard firmware has allowing for such on the fly customization, rather than QMK. With QMK it's all manual flashing (I was somewhat surprised that it was easier than I was expecting to customize the layout/layers/lights with code though, largely thanks to the supportive community).
evanjrowley
If you're looking for a QMK alternative to Via, I recommend you try using QMK Configurator and QMK Toolbox. The combination is not as ergonomic as Via, but at least you get a graphical keymap editor that compiles firmware and is far less bloated. The experience has been good with my Keeb.io boards.
tetris11
Yep, this is my current workflow -- not the easiest, but the one I trust the most
mschuster91
> Still, I wish there was a less creepy way.
There should be - there's three LEDs (capslock, numlock and I forget the third one) on standard keyboards which can all be set from the OS side... and at least caps lock (I think!) can be set from Javascript, so it's essentially an 1 bit wide communications bus, three bits if it's an ordinary OS tool.
unwind
I think the third is scroll lock [1].
That one feels quite legacy to me, every time I active it it's by accident and I don't understand why stuff is behaving weirdly.
jeroenhd
I love scroll lock still existing on keyboards. Some operating systems still use it to control text scroll for some reason (useful when you don't have `screen` installed maybe?), but I mostly use it for toggles in video games. It shows the toggle state on a physical interface, like one of those fancy programmable macro keyboards, but on commodity hardware!
Tijdreiziger
I believe there are still a number of applications where Scroll Lock is useful, most notably Microsoft Excel.
ahoka
I can’t just set any key to output the unicode character I want. I know there are some Linux only hacks, but it would be nice to do in a standard way.
meindnoch
You can't manipulate capslock state from JS.
ajross
This is a little confused. The idea behind the permissions model is that the browser suite is responsible for mediating access to the hardware. Obviously, yes, you need to give it access to the hardware in the first place for it to do that. If you don't trust the browser as a manager of a hardware abstraction layer, that's fine. But that's the model that Via expects. I don't see how it's any more "creepy" than letting your browser read your camera or microphone or storage.
I can go to https://usevia.app on a locked down employer-managed chromebook and hit my QMK keyboard with no trouble whatsoever. And needless to say I can't touch the /dev nodes at all on this box.
tucnak
I own Keychron devices with QMK firmware, and Brave (Chromium) is really explicitly communicating whenever the keyboard is being configured. I have also installed GrapheneOS using it, & honestly I cannot imagine getting tricked into launching a keylogger that way. I already trust Keychron and GrapheneOS to some extent so the point is moot, I think.
Amekedl
what are you talking about? I have to approve the website before it can access my devices via WebUSB. What's the actual issue / path for keylogging etc. there, care to explain instead of fearmongering?
kuschku
The browser itself shouldn't have access to raw devices, as that means giving all programs running under your user the ability to flash your keyboard firmware.
The point of flatpak, wayland, etc is to prevent software from having access to everything. Making all USB devices readable and writable again circumvents the entire sandboxing concept of modern systems.
vbezhenar
Windows and macOS allow access to USB devices for user programs. Linux by default does not allow access to USB devices, you need to chmod corresponding pseudo-file in /dev (or write udev rule to make it happen automatically). So when one uses WebUSB (or any other usb software) without root, it won't work immediately.
danieldk
Modern Linux systems are more complex than that. E.g. if I plug in a USB drive and one of its partitions has permissions
brw-rw---- 1 root disk 8, 2 Mar 14 11:51 /dev/sda2
Similarly, I can use fwupd to update the firmware of my machine without ever becoming root, but as a user I certainly don't have the device permissions to do it. So how? The system has a policy rule that says that every active, local user that is in the wheel group can run an update. The fwupd daemon that runs as root will then execute the update for the user.
junon
Missing the point entirely. You must still enable USB support from the site before it can see or interact with anything.
tuananh
taking this from vial website
``` export USER_GID=`id -g`; sudo --preserve-env=USER_GID sh -c 'echo "KERNEL==\"hidraw\", SUBSYSTEM==\"hidraw\", ATTRS{serial}==\"vial:f64c2b3c*\", MODE=\"0660\", GROUP=\"$USER_GID\", TAG+=\"uaccess\", TAG+=\"udev-acl\"" > /etc/udev/rules.d/99-vial.rules && udevadm control --reload && udevadm trigger' ```
so that means the device can be read and written by the user and group, but not by others.
tetris11
Yeah I have this udev rule, it fails to trigger properly and I think it might be because of what it thinks the user group and the web browser group is. I haven't fully debugged it, but I can tell you that this does not work for me
tuananh
i'm just guessing here but maybe only chrome is asking that. if the malware is another program, no confirmation is required?
null
tekchip
The benefit to folks who flash devices frequently is obvious. However, joe user, the other 3 billion or so users couldn't care less. Poking holes in the sandbox for those folks is negligent at best.
Perhaps the solution is a separate tool, maybe just a separate browser, specifically for this use case?
Flash Browser, heck it could even come with additional tools to help do this. Preconfigured white or black lists, bookmarks to the most common flashing tools, reference material. Make it an even better experience than bolting webusb on to the browser raw.
dz0ny
USB Serial is such a great thing, finally ending those annoying Electron apps that are only used for one thing. There’s a list of tools that now use the browser to set up devices, and it’s fantastic.
ESPHome(+ hundreds projects that use it as a base), Betaflight, ELRS, Flipper just to name a few.
I understand that WebKit lacks support since it’s developed by Apple, and I would also be cautious if it granted any access to peripherals.
But Firefox? Firefox has severely lacked support for hardware "connections" and has been unfriendly for developers for a long time, so I simply stopped using it (one of the reasons). Reason they state for not adding support it is that user consent is not enough to access the device, which is just nonsense, they could have made it enabled under the developer flag or similar. Blink proved that it can be made secure.
I have a filling they are stubborn for no reason and are not seeing use cases that would make their browser usable.
michaelt
> Reason they state for not adding support it is that user consent is not enough to access the device, which is just nonsense,
There was a kinda major security issue [1] where malicious websites used WebUSB to access FIDO/U2F keys.
This was bad because U2F credentials are supposed to be impossible to phish, as the browser's U2F API puts the domain name in the request to the token - but by using WebUSB, a site could request a token for any domain name.
And as both U2F and WebUSB popped up quite similar looking user consent boxes, it's pretty much impossible to avoid some users getting confused.
Google's solution, believe it or not, was to blocklist a load of devices for WebUSB [2] - so now anyone making U2F devices has to get Google to add every new product they release to the blocklist.
Everyone loves the fact the browser is a secure sandbox, letting users run untrusted code. I don't get why people want to poke so many holes in the sandbox.
[1] https://www.yubico.com/support/security-advisories/ysa-2018-... [2] https://github.com/WICG/webusb/blob/main/blocklist.txt
cosmic_cheese
> Everyone loves the fact the browser is a secure sandbox, letting users run untrusted code. I don't get why people want to poke so many holes in the sandbox.
My thoughts precisely. I want browsers to be welding holes shut, not opening new ones.
I’d think differently if user consent were required to load any scripts past a certain complexity threshold (e.g. if they’re heavier than that of an early-mid 00s website, hold off on execution until the user approves), but with how easily users can be taken to sites they never asked to go to every added bit of deep system integration a browser gains is a massive liability. The web is too built up around the idea of implied consent to be doing anything too fancy.
schmidtleonard
If you weld my front door shut, I'm going to be upset with you.
"But welding your front door shut doesn't bother me at all."
Yeah, that's the problem right there.
IshKebab
I thought WebUSB required you to explicitly select a USB device from a list to allow the web page to connect to it?
michaelt
Right. The attack is:
1. You intend to log into an (evil) website using your Yubikey U2F token.
2. A popup appears that looks like this: https://developer.chrome.com/docs/capabilities/usb#get_acces... saying the website wants to connect to your Yubikey.
3. You click 'allow' because you do want the website to access your Yubikey. Then you press the button on the Yubikey when the light starts flashing, because that's what you do.
4. Your unphishable credential just got phished.
LeifCarrotson
It does. Mozilla doesn't trust users to not be manipulated by malicious websites into doing so against their own interests. At GP link 2, Mozilla writes their rationale for concluding that WebUSB is bad:
> Because many USB devices are not designed to handle potentially-malicious interactions over the USB protocols and because those devices can have significant effects on the computer they're connected to, we believe that the security risks of exposing USB devices to the Web are too broad to risk exposing users to them or to explain properly to end users to obtain meaningful informed consent. It also poses risks that sites could use USB device identity or data stored on USB devices as tracking identifiers.
Personally, I'd be happy enough with an implementation of WebUSB that only worked with websites accessed over localhost or on the local network. I want to write data over USB to ESP32s and Teensys 3D printers and so on through an integrated local webserver.
xp84
yeah, this sounds to me like apparently some people think once again computer owners can't be trusted to grant a permission to anything because some clueless people can be tricked into shooting themselves in the foot.
IMHO I don't buy that this is worth nerfing everything. Without using the exact analogy from the above metaphor, what if we banned cooking appliances, because a bad actor might call people and trick them into turning the stove up to "High" and placing a roll of paper towels on the flame?
I use the WebUSB to manage my keyboard's configuration, and that popup is hard to misconstrue. Also what is even the overlap between users of USB security keys (the main attractive USB target I saw cited) and people who click mindlessly without reading anything?
bestouff
> I don't get why people want to poke so many holes in the sandbox.
Because what's a sandbox to you is an universal API layer to some.
hot_gril
Google should've asked me first, cause just seeing the name WebUSB, I said "wtf why is this even a thing, absolutely no."
hard_times
Wait until you find out about WebBluetooth
gsich
Imagine if those devices used proper USB descriptors/classes instead of generic HID device.
jeroenhd
I can count the times I've needed WebUSB or WebSerial on one hand, and I own microcontrollers. I don't think the fingerprinting risks are worth it for the dozens of end users that don't need to download an electron app to interact with physical hardware.
Implementing the feature and then locking it behind a dev toggle is madness. That's wasting hundreds of hours of dev time that could've gone into something useful to expose a feature nobody will be able to find anyway.
These Chrome-only APIs can stay with Chrome for all I care as a developer. You need one Chromium browser standing by for when websites are actually broken in Firefox anyway, just use that when doing web USB stuff. It's a neat tech demo, but not something that a browser should be doing.
The fact that nobody has made a Firefox addon to add WebUSB capabilities probably shows that this is not worth the dev time for the people that do use the feature.
danieldk
Is is really handy if you have a programmable keyboard that use a web configurator/firmware builder. E.g. ZSA's Oryx. Downloading the firmware and then flashing with another program gets old pretty quickly.
That said, I don't really like the browser having USB access, etc. I agree that the potential privacy/security issues are not worth the comfort it provides.
(Yes, I know you can script your way around it by monitoring a download directory, etc.)
0x457
> Is is really handy if you have a programmable keyboard that use a web configurator/firmware builder. E.g. ZSA's Oryx. Downloading the firmware and then flashing with another program gets old pretty quickly.
I have five of those keyboards, and I haven't flashed them in years. "Downloading the firmware and then flashing with another program gets old" yes, but you don't deal with it every day? or even every month?
smrq
It's gotten a lot easier than it used to be. The Glove80 is configured by downloading a firmware file and dropping it into a mounted folder. That's not very onerous at all.
crote
This problem has been mostly fixed by newer keyboard adopting UF2: the bootloader presents itself as a USB flash drive, so uploading new firmware to your keyboard is literally a drag-and-drop.
The only drawback is that it is a little bit of a hassle if you're the type of person who changes out their macros every single day. But then again, if you need it that frequently installing the configurator tool locally isn't a huge deal I guess.
thayne
In general, I don't want my browser to have direct usb access, but ZSA Oryx is the one place I'm annoyed by Firefox not supporting it. Honestly, I'd prefer having a native desktop app to configure my keyboard. But for my ZSA keyboard, I haven't found something as good as the web app for linux.
mixmastamyk
Is LVFS not available for these devices? Sounds like it would be a better fit. https://fwupd.org/
jwr
> I can count the times I've needed WebUSB or WebSerial on one hand
There are many things that would be possible with WebUSB that current browsers make impossible. My personal example is label printers: I would love for my SaaS app (PartsBox, https://partsbox.com/) to be able to print labels, but there is no way to access a printer from a browser other than through the "Print…" dialog, which is no good if you need to send ZPL2 commands to a Zebra label printer.
WebUSB is not necessarily the best imaginable solution to that problem but it would help.
I don't want to tell my users to use Chrome. But Firefox doesn't make my life easy (see also https://bugzilla.mozilla.org/show_bug.cgi?id=896666 — a bug opened 12 years ago, about Firefox closing websockets when the user clicks a download link).
shermantanktop
Isn’t that what printer drivers are for?
dns_snek
What are the fingerprinting risks? Can websites gather any data without user consent?
I used WebUSB to flash GrapheneOS onto my Pixel, and to flash WLED on an ESP32 and it felt like magic. I'm erring on the side of this being a net positive.
ajross
> Can websites gather any data without user consent?
No, you need to explicitly grant access to every hardware device a website wants to touch. The FUD in this topic is a little out of control.
baq
My experience with WebSerial/WebUSB/whatever I used (I don't know) is:
- go to espresense.com
- hook up an esp32 via usb
- click connect, click flash
- done
- repeat 10 times for all the base stations I needed
It reduces the friction of flashing a dev board to ~0. I absolutely loved it. I'm only annoyed that I had to open Chrome to do it (my daily driver is Firefox).
linker3000
I fire up Brave for WebUSB for flashing ESP32 devices. It's Chrome, but less Googly.
kristofferR
Yeah. People don't remember how painful it was to download a separate flasher and driver for every single board you tried to flash.
wpm
>don't need to download an electron app to interact with physical hardware.
I don't need to download an Electron app to interact with physical hardware, full stop, WebUSB or not.
Is that where we're at now? That writing a small utility to configure a widget over serial in platform native tooling is beyond us?
hot_gril
In a cross-platform way, kinda yeah. Especially on the Mac side where OS updates always break everything.
lxgr
Yes, it's beyond many, and people are clearly both willing to write and grateful for easier alternatives. Why celebrate gatekeeping?
And even then, just because I could write a small utility doesn't mean I will, 99% of the time. I think being able to easily benefit from others work is generally great.
fragmede
The problem isn't a widget in platform native tooling, the problem is there's only going to be one, and that platform is Windows 7 and nothing else (including newer modern versions of Windows).
xp84
Fingerprinting risks? Is there some device enumeration capability that I don't know about? I thought you had to explicitly grant access to the specific supported device in a browser popup window.
tehbeard
The fingerprinting risks, to a layman, seem to be a red herring?
Have the user consent occur before the point of enumeration.
Or lock it behind the user already having installed the pwa and require confirmation (i.e. a browser site gets a flat denied message, a installed PWA gets a permission prompt).
Sort of depends on Firefox supporting installing PWAs though..
For webserial this feels like it would make sense... WebUSB does feel like an overreach and too much.
lxgr
Consent is combined with device selection, at least in Chrome.
That leaks at most one bit unless the user selects a device (i.e. whether Web USB is supported or not, as a delayed error due to the user clicking "deny" would be distinguishable from an immediate one), and usually much less since that bit is very correlated with "is Chrome/Chromium-like".
Macha
- Firefox addon to add WebUSB capabilities
Note this is beyond the capabilities of web extensions, you'd also need the user to install a cooperating native program.
At which point people are just going to make the native program an electron UI and bypass the browser entirely.
hexo
why bother with electron madness when you have 20 minute job for pyqt.
JimDabell
> I have a filling they are stubborn for no reason and are not seeing use cases that would make their browser usable.
This is untrue. Privacy and security issues have been raised. Web Serial is not a web standard and cannot become one until Mozilla or Apple sees these issues resolved. Google cannot make this into a web standard unilaterally; standards need consensus.
Here is the Mozilla discussion: https://github.com/mozilla/standards-positions/issues/336
And here is the WebKit discussion: https://github.com/WebKit/standards-positions/issues/199
bangaladore
I don't exactly understand the privacy and security implications here.
A website can prompt for precise location at any point. A website can prompt me to provide a certificate with my cryptographically proven identity at any point. A website can PROMPT for XYZ at any point.
Why should WebUSB be treated any different. If I give access to a device, I give access to a device. If I don't, they can't touch or identify it.
fabrice_d
Because explaining exactly what can happen when you grant WebUSB access is not as clear as with a geolocation prompt. You can't get meaningful consent from users - not all prompts are equal.
lxgr
> Google cannot make this into a web standard unilaterally
At their market share, what's the downside to them of something remaining Chrome proprietary forever?
jancsika
> Firefox has severely lacked support for hardware "connections" and has been unfriendly for developers for a long time, so I simply stopped using it (one of the reasons).
How many devices are you setting up per day?
I just can't imagine jettisoning Firefox for browsing the web because of webusb.
observationist
There are more than twice as many Linux desktop users than there are firefox users in total. People have left firefox for many reasons. The incompetence, user hostility, lack of principles, and technical lag are rampant and pervasive.
lxgr
Even seemingly trivial missing features can push people to another browser if they're otherwise largely indifferent already.
I don't think it's unreasonable to assume that to some people, the inconvenience of juggling two browsers alone outweighs the benefits of using Firefox for most browsing.
TheRealPomax
Neither can I, but you know what I can imagine? Walking away from Firefox because it yet again shows it has no interest in being a strong browser for the only folks that actually use it, namely power users who care about privacy, security, and controlling their own browser experience while enabling them to make the coolest shit with the latest, cutting edge Web APIs.
"Leaving Firefox" because of WebUSB would be silly, but "finally leaving Firefox" because they refuse to add yet another thing that intersects with your interests? Absolutely. At some point you just have to go "this is an abusive relationship holding me back".
justinrubek
Precisely this. I've not even used WebUSB, but while reading this post, I was reminded of similar pain points with Firefox. I found myself thinking of what browser I could switch to while reading comments before finding this thread. I'm a long-time die-hard Firefox user as well.
I've been waiting years and years for service worker module support, and I am sure there are plenty of other things that are important and not being done so that's just one example
Dylan16807
> power users who care about privacy, security, and controlling their own browser experience while enabling them to make the coolest shit with the latest, cutting edge Web APIs
I agree with this part entirely.
Except I don't consider WebUSB to be a "Web API", despite the name. And if it has any effect on privacy and security, it's a negative one.
Wingy
My physical hardware becoming suddenly unprogrammable because the company hosting the flashing site went out of business isn’t okay. It should be a software that I can download and is not dependent on any external servers.
If the device depends on their servers to work in the first place, I love not having to download and trust the software though!
idle_zealot
It's not an either-or thing. Every case of WebUSB flashing I've seen also offers an open source CLI tool you can pull down and use instead.
wayvey
Many of the WebUSB flashing tools work fine offline, so one can just save the web page locally and use it that way.
smrq
Perhaps because WebUSB is not well supported? Just a hypothesis, but pushing it as a standard might encourage it to become an either-or thing.
TexanFeller
I want code running in a browser to stay in its sandbox, a large motivation for web apps in the first place is that they stay safely sandboxed and ephemeral. I think browsers accessing hardware is a terrible mistake, they make a terrible “OS” and trying to use the web as the default platform for all apps has set our industry back decades.
lxgr
I like the sandboxing properties of my browser, and wish I could run as many of my local applications and utilities in it or in something comparable.
Part of that is being able to access hardware, and missing that functionality will expose data on my computer to malicious or compromised applications or scripts.
Hardware access obviously has to be on a very strict opt-in basis. For all the things Apple is regularly trailing behind other browsers or outright botching, I think letting only "installed PWAs" send push notifications and persist state more than 7 days between visits is directionally the right thing to do, and hardware access would be much less critical limited that way.
troupo
> I understand that WebKit lacks support since it’s developed by Apple
> But Firefox? Firefox has severely lacked support for hardware "connections" and has been unfriendly for developers for a long time
A lot of accusations to simply say "I want Chrome-developed Chrome-only APIs to be called standard and implemented by everyone without any objections".
LegionMammal978
I'd read it more as "I don't particularly care about what ends up as the standard or who ends up writing it, I just wish that it's nearly as capable as the non-standard implementation that exists and is useful."
Mozilla's objection is to having the capability at all, on the basis of "USB devices are too easy to hack" and "users are too dumb to give informed consent, regardless of what we tell them". And GP's objection to Mozilla's objection ultimately comes down to having the capability or not.
troupo
Mozilla's objection, among others, isn't "users are too dumb to give informed consent, regardless of what we tell them".
It's "we have dozens of APIs that require user consent and it's nearly impossible to contain this barrage, or to make sure that users fully understand the implications of consent for the more complex APIs and integrations"
Why do people in these discussions pretend that it is only WebUSB that needs a permission and consent?
Boogie_Man
Could've learned to use DD in the time it took to make this post.
Web browsers need to remain incapable of... formatting my disks
MortyWaves
Maybe it’s a good thing USB ports are not available to browser based code.
saint_yossarian
As a Linux user I love WebMIDI, because it means I don't have to open a Windows VM anymore to run firmware updates / utility tools for audio gear manufacturers that embrace it (e.g. Novation).
WebUSB should enable the same for more types of devices, but of course there should be appropriate permission mechanisms.
JimDabell
WebMIDI has been used by porn sites to track users:
saint_yossarian
That is/was a Chrome problem, Firefox only allows WebMIDI after granting permission. Unfortunately its implementation is also incomplete/buggy so I still often end up using Chrome for those use cases anyway.
_flux
As I understand it, it was because WebMIDI was accepted by Chrome without prompting the user.
To me it seems should be impossible use it for tracking after they added the prompt.
cship2
Whenever the committe crams another desktop features into the browser you can be sure it is mainly convenience and surveillance!
rasjani
Webmidi is godsent for Akai LPD8 controllers. It came with software that's used to reprogramming midi banks. Software never got updates and doesnt work anymore in any modern mac. Thank $deity for webmidi and some reverse engineering, i can reprogram it to a degree that its at least functional and dont need to throw it away.
MortyWaves
Why does that require a browser and not software you run natively?
mvdtnz
No, it's not.
akimbostrawman
While I can understand the drama and criticism surrounding the "standard", using it to flash GrapehenOS on Pixel phones has been one of the most pleasant, easy and fast OS installations experiences i ever had on any device. Literally plug, click and play.
swiftcoder
> encrypts the private key with the "master" key, and returns the encrypted private key as the key handle
wow. I guess that does work.
I feel like giving an adversary infinite opportunity to try and decrypt the private key in their possession will backfire eventually, but what do I know?
lxgr
It's exactly as risky as any other possible stateless authenticator implementation, if you think about it.
For example, another way of doing it is to derive the private key from the key handle via deterministic key derivation – which the attacker can brute-force just as well as the encrypted per-site key stored in the key handle.
The key insight is that a stateless authenticator is by definition globally (i.e. across secrets and sites) deterministic, and given an input-output pair, you'll be able to brute-force its internal secret. The solution is to make that internal state large enough for that to be computationally infeasible.
stockhorn
Couldnt we add some "usb descriptor flag" which says whether WebUSB should be allowed or not? Then firefox/chrome would not need to maintain a blocklist.
agluszak
> WebUSB and its associated political disagreements
What are the political disagreements?
JimDabell
WebUSB is not a web standard. It’s a Blink-only API cooked up by Google and rejected by both Mozilla and Apple on privacy and security grounds. It cannot become a web standard without two independent implementations, and Google have failed to convince anybody outside of Google to implement it. Nevertheless, it pops up on various websites as things Firefox and Safari are “failing” to support.
> This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track.
— https://wicg.github.io/webusb/
> WebKit declined to implement several APIs, including WebUSB, due to concerns over fingerprinting
> We have previously stated privacy concerns, thus the concerns: privacy label. We agree with Mozilla's security concerns raised in their standards position issue, thus the concerns: security label.
— https://github.com/WebKit/standards-positions/issues/68
> Because many USB devices are not designed to handle potentially-malicious interactions over the USB protocols and because those devices can have significant effects on the computer they're connected to, we believe that the security risks of exposing USB devices to the Web are too broad to risk exposing users to them or to explain properly to end users to obtain meaningful informed consent. It also poses risks that sites could use USB device identity or data stored on USB devices as tracking identifiers.
mvdtnz
[flagged]
dijit
Real adults use lynx & curl, so I’m not sure what adults you’re talking about.
Orygin
You are not losing functionality if it was never implemented in the first place. WebUSB and WebSerial are not standards, so your rage is misdirected. Keep using your security cheese of a browser if you need that feature. Otherwise others (like myself) are okay with having fewer security risks in their browsers.
jlarocco
I don't know the general political disagreements, but I personally don't want WebUSB and think it's a garbage idea.
The browser can already access the USB devices it needs through normal OS interfaces (the keyboard and mouse being the obvious examples). I don't see why any website should need special direct access. The only use-cases seem to be giving access to web programmers who can't be bothered to write a standalone application (not a group I trust) or to provide additional ways to track users (something I don't want).
I don't even trust Google and Mozilla enough to give them access, much less any random stranger who's setup a website.
Not everything needs to be accessible from the web. I don't know where the line is, but for me USB access is across the line.
bsder
> I don't see why any website should need special direct access.
And this also holds back things like better security from USB security keys.
You have to access the key in exactly the way that is implemented ... even if that implementation sucks or has bugs or has security failures.
Everybody hates Electron .. but then want to hamstring the browsers. Well, people still want do do the thing they want even if you don't let them. They will find a way around .. and currently that way around is Electron.
consteval
I believe USB security keys are covered under a different API.
But even then, you can use this argument against it. When this type of USB access is allowed, it gives phishing attacks even more power. Now, you’ll click prompts for authentication and little did you know that malicious actors and read/write the entire USB drive!
tux3
The politics of exposing users to security issues VS giving the web more capabilities.
A fight which is usually won by people who just want features now. Security flaws tend to look hypothetical until people actually exploit them in the wild.
usrnm
If history teaches us anything, it's the fact that we will come full circle, the browser will become the os at some point. People with money want it to happen and they have resources to make us think that we want it too. Might as well enjoy the ride
tannhaeuser
Fingerprinting, basically, and whether browsers should gain any more capabilities at this point which just deepens the dependency on Chrome further and further.
swiftcoder
While fingerprinting is a concern with many web extensions, the bigger problem here is the security risks inherent in exposing on the open internet a bunch of USB devices that were not designed with adversarial inputs in mind...
tannhaeuser
I think you're right. Weren't there even remote DMA/CPU-level attacks over OHCI/USB?
rs186
I think that ship sailed many years ago.
As I user who cares deeply about privacy and has almost everything enabled -- "strict" anti tracking protection on the browser, uBlock origin, DNS level filtering etc -- I discovered that any the fingerprint for my Firefox is pretty much unique on the entire Internet.
One thing that astonished me was that the number of hardware cores of my CPU is easily accessible from JavaScript. I have an AMD machine with 8 cores and 16 threads. Somehow it is on the high end of machines that access the Internet, and only a small fraction of users have a 8 core CPU. Combined with just a few other parameters, especially IP address, it is easy to uniquely identify this computer.
Just one additional channel of information from WebUSB barely matters at all.
nicman23
probably that your browser can access the hardware. which i also do not want.
gostsamo
should a browser have api-s allowing websites to access directly the file system and usb devices which might be insecure and help in fingerprinting or it should not. a.k.a chrome against all the ants.
pests
It already does though. It's the type=upload box we've had for decades. Think of it as how smartphones let you give access to only a specific file or see a subset of files. The "UI" is just using a system control. You can also drag and drop files into the browser too. This is all available to javascript.
Kbelicius
> It already does though.
It doesn't. Websites don't have access to your file system.
> It's the type=upload box we've had for decades.
It isn't. That isn't giving the access to your file system to a website. That is simply providing a file to a website. The website doesn't even get the real path to the file but a C:\fakepath\filename.
> You can also drag and drop files into the browser too. This is all available to javascript.
Again, that is not giving access to your filesystem to a website. That is giving a file to a website.
mortalkastor
This is nothing new.
Up until ~5 years ago, hacking U2F to make it pass (smuggle?) arbitrary data was exactly how hardware wallet like those from Ledger and Trezor were communicating with websites and web extensions (like Metamask), for the lack of a better alternative. This is how hardware secured "web3" came to be.
A bit OT, but most of this thread seems to be generally about WebUSB, not the OP (although it is a pretty cool hack!)
On one hand, I really want WebUSB, but at the same time, I REALLY don't want the average person to have WebUSB.
Practice has shown that consent popups do not work and people will manage to give consent to anything without even realizing it ("I never clicked on anything", they say, while I swipe away 50 spam push notifications and remove push permissions from about a dozen "news" sites).
Honestly, I kind of like the Internet Explorer version of permissions, where you needed to mark certain sites as "trusted" to enable certain features. The process is hard to discover, takes a decent amount of time, is a bit confusing, done in a system-styled modal popup with reasonably scary and large warning icons.
If people had to go through this process to mark a site as "trusted" in order to use WebUSB, WebBluetooth, and the other dangerous APIs, far fewer would do it by accident. The UX would still be better than installing a native app and you get sandoxing as a bonus, so I think the tradeoff would be worth it.