Ok, I just stumbled across this https://wicg.github.io/webusb/ !!
The paper describes an API to access USB through the web.. I mean... NO, that's a huge, huge incredible huge security nightmare! I mean USB, Thunderbolt, you name it and its open like an old barns door.
I think this is utterly stupid and should be burned immediately - but what are your thought?
I'll try not to use it for anything important, if I can figure out how to make it do anything. It says right on the front page there are security issues. Sounds like a problem with USB devices in general.
I don't get the thought process behind this.
If you don't have a lock on your door, do you set the building on fire? (No, just don't keep your money and loot behind it.) All things with security vulnerabilities must be destroyed? (Goodbye everything)
Of course everything has and will have its vulnerabilities, but do we realy have to put another layer of insecure onto a technology which is not secure, but can only be abused if you have physical access and throw it into the web?
Not everything needs, and even less should be on the internet; I have to think of all the SCADA systems with open VNC clients, or the RS232 to Ethernet adapters that have no authentification at all or just loughable bad one.
All thoses things should never have been connected to internet in the first place, and neither should USB be.
That was my thought process wich I might have exagregated a bit by using
I hope that somewhat elaborates my thoughts... it just makes me cringe and shiver that the next inherently insecure technology is making its way into the internet.
There is already an api built into most modern browsers that allow for websites to access the on board or dedicated GPU. This is enabled by default and allows for complete access to your systems hardware and data storage through holes in the security of GPU API's that were not designed with security in mind. Yes this new api does open up other issues but it is good to first be aware that there are other holes in how websites use your computer's hardware. In general, Direct access to hardware over the internet is a bad idea from the get go.
Yes it is! Indeed and thats my whole point. That there are several other APIs and technologies I know, but USB opens up even other, more simple ways of compromise...
Imagine a HID (aka Keyboard) over the web that types cmd/bash/powershell commands for you while you are not around ;)
Who was drinking bleach and browsing github. Thats the person who thought of this.
Look at what I've found in Google Chrome under chrome://flags
Horrible find ^^ but well done ;) - was to be expected as its a creation of google engineers
What version are you running? I cant find it on mine yet.
51.0.2629.0 compiled from Chromium sources. It's not yet on the official channel for Chrome (through the Playstore).
That explains it ^^ I use the .deb ropo by google to fetch mine.