search

WICG / webusb

Connecting hardware to the web.
https://wicg.github.io/webusb/
Other
1.3k stars 127 forks source link

WebUSB relies too much on domain name ownership for security. #121

Closed ahtn closed 6 years ago

ahtn commented 6 years ago

After working through an implementation of WebUSB, I am concerned that both the UA and USB device rely too much on the manufacturer continuing to maintain ownership of the target domain. With my current understanding of WebUSB, the security model boils down to:

  1. USB device provides a HTTPS domain to the UA.
  2. UA connects to this domain securely using HTTPS.
  3. The UA now trusts this domain and will give code from the domain full access to the USB device via WebUSB.

As a user this makes me hesistant to use WebUSB devices because:

  1. Companies can't be relied on to keep domains registered.
  2. If the company files for bankruptcy, ownership of the domain could be lost.
  3. The domain may be compromised.
  4. If the function of the USB device is reliant on this domain, the manufacturer can essential brick the device by taking the domain offline and force the users to update their hardware at their wim. The company may chose not to retain the domain for obsolete hardware.

Taking into account #50, control of this domain by a malicious actor would almost certainly mean complete system compromise due to the lax security provided by USB.

Some of these issuses are inherent to the idea of WebUSB, but I think at least the issue of domain ownership can be solved. The device would need to provide some form of public key in its binary object store that the UA can then use to validate the authenticity of the target domain before allowing connections to the USB device.

reillyeon commented 6 years ago

The version of WebUSB described in the specification hosted here and implemented by currently shipping versions of Google Chrome does not require the device to provide a origin that will be the only source for a web application that can connect to the device. The reasons above are among those cited when making the decision to remove this requirement. If there are still references to this requirement in the documentation here please let me know so I can correct them.

This question was discussed in issue #49.