To unsubscribe from this group and stop receiving emails from it, send an email to apps-dev+u...@chromium.org.
Sorry, but why on earth does it need *every* USB device? And moreover, if the user chooses to only give it access to one USB device, how would it know that it's *not* everything?I guess I'm pretty dubious of adding an install permission in this situation, but this is Mustafa's call.
--Joel
On Thu, Mar 19, 2015 at 10:27 AM Benjamin Kalman <kal...@chromium.org> wrote:
I do think that if I install the "security key" extension that I shouldn't then need to choose it the first time I plug in
But if the extension requests a whitelist of 1000 devices, isn't that effectively "all devices
Requesting access to the Alexa Top 1,000 hosts would indeed basically be all-hosts.
And we know from experience (Android) that people are fatigued, not alarmed, by permission lists 1,000 items long.
Use a chooser: simple, safe, universal.
As I mentioned, you install the gnubby app, you want gnubby to work. You install the myrobot app, you want the myrobot app to work. A chooser here is an unnecessary point of failure and friction (not to say I don't like choosers - I really do).
My strawman proposal earlier was to limit these to some smaller number than 1,000. Let's say 10. There will always be a legitimate use case for wanting 11, but that's a reasonable price to pay I suppose.Though, do note that the version of this API without these proposed restrictions is what we already have with apps. I don't see a compelling reason in this case to hold onto this fragmentation. The threat model of bad-thing-wants-to-do-bad-thing is the same for apps and extensions.
Thanks for the responses. I have looked into WebUSB but here are some issues:1) Chrome App support ends very soon and WebUSB is only supported in the Dev version of Chrome, there is no announced date when it will be available in the production version (customers are not going to want to install a special version of Chrome just to use your app).
2) I understand that for many things IoT is the way to go and WebUSB makes sense. However, for security related applications where you don't want to send the data over the internet even if it is encrypted, this does not make sense. For example, you want to load information to a USB device such as passwords or encryption keys, the user can enter this information into a Chrome App which sends it directly to the USB device via USB HID, the attack surface is pretty limited. The same example with WebUSB introduces many new issues to solve like how do I know that my USB device is only communicating with the authorized site, what if a MITM attack occurs on a user system that sends them to a cloned site, what if the site I connect to is storing my data without my consent.
On Tue, Sep 27, 2016 at 11:37 PM T Steiner <twst...@gmail.com> wrote:Thanks for the responses. I have looked into WebUSB but here are some issues:1) Chrome App support ends very soon and WebUSB is only supported in the Dev version of Chrome, there is no announced date when it will be available in the production version (customers are not going to want to install a special version of Chrome just to use your app).WebUSB is supported in Chrome 54 as an Origin Trial. Chrome 54 will be stable around Oct 18th, 2016 according to the release calendar (an estimate of course). This particular trial will run through Chrome 56. Customers do not have to do anything special.
2) I understand that for many things IoT is the way to go and WebUSB makes sense. However, for security related applications where you don't want to send the data over the internet even if it is encrypted, this does not make sense. For example, you want to load information to a USB device such as passwords or encryption keys, the user can enter this information into a Chrome App which sends it directly to the USB device via USB HID, the attack surface is pretty limited. The same example with WebUSB introduces many new issues to solve like how do I know that my USB device is only communicating with the authorized site, what if a MITM attack occurs on a user system that sends them to a cloned site, what if the site I connect to is storing my data without my consent.This is a really interesting question but first some clarifications: an MITM attack is not a concern for WebUSB because API access is only allowed from sites loaded over HTTPS. WebUSB also requires the origin of the site to match one of the ones enumerated from the device so yes, the device knows that it is communicating with an authorized site.
This does not, however, protect against the possibility of the site being compromised. Here Chrome Apps have an advantage. While a Chrome App developer's account could be compromised and used to push a malicious version of the app Chrome Apps by default have no network access. They must explicitly request the ability to make HTTP requests or raw socket connections. A compromised app with the ability to phone home would trigger a permission change prompt that would hopefully raise user suspicions. However, since what we're really talking about here is a combination of a Chrome Extension and Chrome App where the Chrome Extension communicates with arbitrary web pages (to fill in passwords, for example) then compromising both would allow for a path to exfiltrate data from the device as long as the user can be convinced to visit a cooperating compromised site.
Using WebUSB from an extension (which really means in this context, applying a different security policy to calls to WebUSB APIs from an extension than from a web site) is basically the same question as whether we allow chrome.usb from an extension.
Thanks for the link, what about for people not running Chrome OS?