RFP: WebUSB API #100
Comments
|
For reference, WebUSB was being developed at the time for FirefoxOS, see bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674718 |
dbaron
added
the
w3c-cg
|
Some comments from elsewhere include #95 (comment), w3ctag/design-reviews#108, the minutes from Thursday 2016 July 28 TAG meeting. Major concerns raised there include:
|
|
It would be interesting for me to know this status too |
|
I believe we should mark this "harmful". @martinthomson |
|
I have a PR in #193 to do that that ended up gathering a bunch of discussion on the rationale we should state (discussion that should probably have happened here instead). I need to figure out how to revise that... |
|
Closing as that PR was merged. |
|
From a discussion elsewhere, Chrome allows flashing Android phones via WebUSB: |
|
Another example that came up on twitter was a custom USB driver for a thermal printer: (Sorry for the noise, just collecting "as seen in the wild" use cases as people bring them to my attention on twitter) |
|
Trezor (a cryptocurrency Hardware wallet) - my former employer - uses WebUSB, when available, for communication with web wallet, if used from a browser. (I wrote the WebUSB code into both the website and the C firmware.) I think in the next, planned version, they offer Electron app first, which does not use WebUSB, but includes local server in go and c++ (because it's still easier for debugging to use the raw OS calls), but if you decide to skip Electron app and use web, it goes to WebUSB. one reason why they plan to push Electron instead of web app is that Firefox doesn't support WebUSB :) |
|
Appreciate the input @karel-3d, thank you. |
|
For reference, WebADB is now using WebUSB and its lack of support for non-Chrome browsers was just reported on webcompat.com. |
|
ADB is an exemplar of the sort of access that is most problematic. Great example. |
|
mozillas refusal of WebUSB support is a really unpleasant limitation. it's nearly impossible to implement adequate substitutes for this feature on small micro controller gadgets (in my particular case: measurement devices). WebUSB would provide a much more secure and privacy protecting solution for this kind of applications, than using this very weak IP stacks for µCs/RTOSs, which in most cases will never become updated etc., and depend on centralized web-server infrastructure outside, because proper and user friendly SSL/TLS certificate handling for private networks (RFC 1918) is nearly impossible. because of this reasons WebUSB refusal does IMHO more harm to security and privacy efforts in practice, than protecting users from real dangers. |
Measurement devices are an interesting use case indeed. You certainly want your measurements to stay correct, but the security model used for webUSB doesn't guarantee that the code that communicate with the device hasn't been tampered with. Transport security is not enough for that. |
|
Digitally signing documents with USB Flash Disk is another emerging use case. I wouldn't trust any other browser if at all such a time comes. |
|
Is there an addon, a shim or a polyfill for WebUSB that would allow hardcore Firefox users to work on embedded projects? Found this plugin but it's not an addon and the (linux) documentation seems rather outdated. |
|
Hm. In theory, you could run a small HTTP server with localhost exposed, that reads/writes to USB, and connect to it in JS via polyfill. But then all your users would need to install this. And it has all the security negatives of WebUSB. 🤷 |
|
When I worked for Trezor, we did something like that, just for our devices https://github.com/trezor/trezord-go but note, most of the code there deals with peculiarities of edge-case issues on both different OSes and the devices itself. USB is actually very tricky to get right, and LibUSB is actually kind of bad, at least on Windows. It's only popular because there is nothing better that is cross-platform. Chrome ended up re-implementing USB access from scratch (and into C++ Chrome-isms), because libusb (that they used before) was very VERY unstable on Windows. And the code itself was just horrible... not sure of the state now https://github.com/libusb/libusb/blob/master/libusb/os/windows_winusb.c#L1433 yeah it's still the same old, even when they refactored it a bit (I really like WebUSB, I just wish they stuck with the earlier security design, where the device itself need to opt-in to URLs via device descriptor. That would make a lot of fears go away and Mozilla could implement it as-is. But that ship has long sailed I guess... years now) ok anyway I digress. Good luck. (Or maybe just use Chrome.) |
|
You can see that the new-ish USB code at Chrome is leagues better than the libusb mess vs https://github.com/libusb/libusb/blob/master/libusb/os/windows_winusb.c#L1433 too bad it's so tied to Chrome |
|
@karelbilek thanks for all these useful resources Now back to the original topic of this thread: what can I do to reopen this discussion and hopefully have Mozilla reconsider, maybe changing the stance from "considered harmful" to "considered both benefial and harmful"? Here's my contribution to the discussion: If some users want to keep their |
|
WebUSB isn’t harmful, you can just add a warning when selecting a usb device. I don’t understand why this isn’t implemented yet. |
|
Up until now, I have never heard of any security problems with WebUSB (although I can definitely think of some). With the right warning however, I think it is very clear to the user, that they should trust the website. On the other hand, WebUSB is very useful for FPV drones. People do not like to install a full-fledged program on their PC, hence there are many tools in this area, that use WebUSB: EdgeTX Buddy for configuring the RC, ESC Configurator for configuring motor drivers, FPV.WTF for Video Livestream from the FPV Goggles IMO Mozilla should reconsider implementing it. Even with a big warning, saying "If you let this website access this USB device, the website could destroy your computer within a second.", I still think it is better to have it. I hate having to open another browser for this. |
|
In Chrome we are implementing support for WebUSB from extension service workers since the current practice of accessing the API from an extension's background page will no longer work with manifest V3. Chrome Platform Status: https://chromestatus.com/feature/5200265459269632 We're doing the same work for WebHID as noted here. Mozilla is experimenting with exposing powerful APIs, particularly WebMIDI but potentially expanding to other device APIs like WebUSB. We're interested in any signals Mozilla can provide on the proposal linked above, as well as Mozilla's current thoughts on how we can safely expose this capability on the web (and to extensions). |
|
The moment Mozilla implemented WebMIDI, they immediately discovered that web sites are using these capabilities for fingerprinting. See https://twitter.com/denschub/status/1582730985778556931 Quote from the comment: "Chrome allows web developers to enumerate attached MIDI devices without user consent or even a notification." This is and/or will be true for any "powerful API", and this is not solved by throwing a thousand notifications asking users for permissions or by silently allowing everything. |
|
@dmitriid wrote:
Then their implementation was wrong. Obviously sites should not have access to any attached devices by default. That doesn't mean there is no good way to implement WebMIDI.
It's not "a thousand notifications", it's either one per device, or at most one per device per website (exactly how Chrome allows users to permission extensions either for access to all sites or only to individual selected sites). For example, I would only ever need WebUSB for my Trezor device on a handful of highly trusted websites, and not for any other USB device - so that would be something like 5 notifications spread out over weeks or months. In other words, we're talking about a tiny number of notifications for the typical user in order to achieve a perfectly reasonable and convenient approach which:
This is far preferable to assuming that all users are incapable of making educated judgements about what levels of risk they are prepared to accept in order to gain functionality. All browsers already ask users to make those judgement calls on a very regular basis, so I doubt there is any good reason why WebUSB should be the exception. |
And what other implementations of similar APIs may or may not be wrong? Note: Chrome still hasn't added a prompt saying that they can't rush into fixing this because this will break functionality on sites that rely in this behaviour.
Even ten web sites take this into "100 possible notifications" realm.
It really isn't a tiny amount of notifications. This is the ting I keep seeing over, and over, and over again: when discussing an API people are completely blind to the fact that other APIs exist, and many of them require premissions, too. And don't forget that on top of these permissions we have all other notifications: from "hey sign up to our newsletter" to malicious GDPR miscompliance.
It's not an asumption. It is a known, well researched and understood fact. Do you know why so many Android apps ask for a gazillion permissions on install? |
|
so the only remaining problem is how many notifications this will generate? |
Sorry, I don't understand the question (or the point, if it's a rhetorical question). Please could you expand?
That sounds like a serious error of judgement by the Chrome team to me. It doesn't justify Mozilla avoiding a chance to do it right though.
I was talking about just WebUSB, but if I understand you correctly, you're extending the scope of the discussion to every API which a website could possibly request. That's an entirely different discussion. My claim was that adding WebUSB support in a way which requires any website to get the user's permission to use it would add a tiny number of notifications on top of the ones which the browser already generates. For example, if the user has to endure 100 notifications over So for the sake of this example, let's say it increases it to 102 notifications across
I'm not blind to that, but as explained above, it's not relevant to this WebUSB topic. If other parts of the browser are doing a poor job of protecting the user from notification spam, that's not a good reason to avoid doing it right for WebUSB.
Sure, but again, this is not relevant to WebUSB as I already explained above.
Wait, did you really just say it's "a known, well researched and understood fact" that all users are incapable of making educated judgements about what levels of risk they are prepared to accept? Surely you can't have really meant that?
Yes I do, but I don't see how that's relevant here. |
|
Just FYI, as per https://groups.google.com/a/mozilla.org/g/dev-platform/c/15O04X2jE28/m/deXYDi85CQAJ , Firefox now has support for WebMidi as of 108. It's not a huge leap to imagine that a similar approach could be used for WebUSB as well. |
|
Let's start from the start, shall we. Yes. Firefox now supports Web MIDI. And here's what Fireofx has to say about it: https://twitter.com/denschub/status/1582730985778556931
Note: Chrome still hasn't added a perission prompt saying that they can't rush into fixing this because this will break functionality on sites that rely in this behaviour. So, what "similar approaches" can we apply to WebUSB as well? Oh, perhaps... hide access behind a permission prompt? But then we're back to square one on permissions. So we have location, microphone, camera, web notifications, clipboard permissions already. And then we'll need web midi, web hid, web usb, web bluetooth permissions... And god knows how many more that Chrome spits out with zero care or oversight. I keep saying: for some odd reason people completely ignore that all other APIs that require permissions. The APIs that you propose that browser add, do not exist in a vacuum. You can't blame the browser for "doing a poor job of protecting the user from notification spam" and insist that the browsers add even more notification spam. You can't pretend an API adding new notifications and permission prompts is somehow separate and isolated from every other API also requesting permissions and showing notifications. Also, you can't pretend that users are knowlegeable enough to understand what each of these permissions do. We know they don't. You can't pretend that all this isn't relevant to the API you're so want. All in all you can't pretend this is an issue even though we know this is an issue. |
|
Oh. Right. Forgot one more thing. Claim:
Reality (using Web MIDI as an example)
The more complex an API, the more the chance it will be implemented incorrectly, inconsistently, or differently enough for it to matter. |
If you know they don't, please share that survey so that we can see it is not biased (e.g. based on Mozilla users exclusively). If this survey is internal only, there's another possible angle to "We know they don't" => "We unintentionally made sure they don't" when users who did understand permissions threw the towel and just picked another browser supporting the extra API, thus consolidating the survey bias. |
it didn't sound like FUD when all of this happened to the Audio API, and it can't possibly be an acknowledgement of incompetency, so what does it imply exactly, could it be worked around as an extension or bound to a config flag disabled by default, or even limited to a different edition of Firefox (e.g. LibreWolf)? |
I already replied to this statement so I'm not sure why you're repeating it.
I already explained in detail (with an example) why I don't accept that argument.
Please don't, I heard you the first time, as evidenced by my last reply.
I already acknowledged that point by explicitly referencing the presence of other APIs and corresponding notifications.
Yes I can.
It's not spam. It's small in quantity, justifiable, and easily kept under control for reasons I already explained. You seem to be arguing for something like
I find that to be a very supercilious over-generalization. You seem to be portraying a world split into two types of people: "we", the imaginary group of clever people, who know best what "they" need, the imaginary group of poor dumb users who are incapable of looking after themselves. I want no part of such an unpleasant and inaccurate perspective.
I'm not pretending anything, despite your repeated assertions otherwise. I was trying to have a rational and non-emotional debate, but I can tell this has very little chance of being productive, so I'm out of this discussion and this will be my last reply to you. |
How is it "easily kept under control" when it adds even more notifications to the platform?
You seem to imagine that I said or thought something I never did said or thought.
In order to have a rational and non-emotional debate you need to hear what the other people are saying, and not dismiss their reasoning out of hand just because you don't like it or because you keep ignoring the reality (the amount of APIs that require permissions, most users unable to understand implications of those permissions, the vast scope of these APIs etc.) |
etc. |
Sorry, but I couldn't understand this question |
|
Even though it's android and not a desktop OS, it looks like most users understand the implications of permissions:
And it's not surprising: a driver can understand the security and permissions of their vehicle without having to know anything about mechanics.
I'll rephrase: what does Mozilla's stance imply exactly, could WebUSB be worked around as an extension or bound to a config flag disabled by default, or even limited to a different edition of Firefox (e.g. LibreWolf)? |
Amazing, really. The studies: "A minority of users demonstrated awareness and understanding of permissions" and "only 6.1% of participants answered all comprehension questions correctly" somehow is perverted to "most users understand permissions". This is nothing short of amazing.
https://en.wikipedia.org/wiki/Argument_from_analogy
It doesn't "imply" anything. It's loud and clear. The problem is you are willingly refusing to hear it, and imagine things that are not there while ignoring everything else. On this note I'll bow out of this rather pointless discussion. |
|
Since this discussion has moved to privacy rather than security concerns, my two cents: I don't see the problem. Never have I seen a website ask for permission to use a USB device that doesn't actually need it. I can see how enumerating USB devices without user consent can be a problem, but I don't see when a website would actually need that. The way that I know WebUSB works, is:
Maybe someone can tell me, what security or privacy concerns they can see, as long as these (easy to fulfill) conditions are both met:
IMHO implementing WebUSB in browsers is even more privacy-aware because the alternatives (using other (less privacy focused) browsers that allow it or downloading full programs) generally have many more vulnerabilities. |
You still have no guarantee that the code served by the site won't damage your devices, because trusting the origin of the code doesn't mean you can trust the code itself (eg. if an attacker replaced it by something malicious). This is less a problem with regular web APIs that can't have destructive behavior thanks to the web sandbox. A better trust model for code is needed to enable these APIs, not just claims that "it works because Google does it and users are smart enough". |
Trusting the origin means to me, that I trust the origin, so also the code that they give me (as long as it has not been tampered with). Just making this clear, but I think this is also not what you meant.
HTTPS only + same domain for those parts of the script that access the USB device, the same as with service workers, would work, right?
Where did I claim that it works because Google does it? What I said is, that the user has to do something other than just clicking ok for something bad to happen (they have to select a USB device). No user will randomly select a USB device and then click "ok" if the website has no reason whatsoever to access a USB device. |
No, HTTPS only ensures that no tampering happened in transit. That doesn't give you any kind of guarantee about the code not being replaced at the source by a malicious version. |
|
Maybe we need to step back for a minute. I think the main tension in this thread boils down to...
Additional valid concerns:
It strikes me that most of these concerns are not really unique to Web USB, though depending on your point of view, the stakes may be higher in this case (i.e. a bad actor with usb access can do worse things than a bad actor with webcam access). With this context, I think there are two (maybe more) questions that need answers to move the discussion forward.
|
@fabricedesre I guess you are talking about signing the code? This is more than what most semi-famous software does, even for full blown programs/apps. Making this widely available could be expensive and throw off devs to only support Chrromium browsers
IMO the fact that the user has to select one specific USB device already mitigates the "just click ok" problem. A warning on that selection screen is sufficient if you ask me. |
Signing code is one way to do it, but not the only one. Trusting a known hash of the code can be enough - the tricky part being to bootstrap the trust chain. I found this approach interesting: https://blog.cloudflare.com/cloudflare-verifies-code-whatsapp-web-serves-users/
I agree that using a device picker step is good API design to limit fingerprinting, but this doesn't tackle the "trusting code" part at all. |
|
Thanks to everyone for the lively discussion, but I think that this has again gotten to the point where we need to take a pause. For an issue like this, where the original request has been resolved, we try to keep discussion open in case new information arises, so we'll reopen this again in a little while. For now, the discussion seem to have started to retread arguments that have already been made. |
and others
Request for Mozilla Position on an Emerging Web Specification
Other information
The text was updated successfully, but these errors were encountered: