adriweb
commented
6 years ago One such example that comes to mind (as a user and contributor of the following project) is https://www.numworks.com/blog/webusb-firmware-update/
Closed quantumproducer closed 5 years ago
adriweb
commented
6 years ago One such example that comes to mind (as a user and contributor of the following project) is https://www.numworks.com/blog/webusb-firmware-update/
tazjin
commented
6 years ago One use-case for security-minded folks is getting whole new attack vectors. If you make a living writing exploits this could come in handy!
karelbilek
commented
6 years ago My opinion is that WebUSB is very useful if you are a vendor of a hardware that wants to allow to be accessible from the web. The API is nice. And browsers are now a de-facto operating systems whether you like it or not.
However, I agree that the current model of WebUSB "any device can talk to any website" is dangerous - and originally, WebUSB was not open like that! - and hardware vendor had to specifically whitelist domain URLs. This would be a much better compromise between security and usability.
Whitelisting was removed here as a move away to feature policy (similar to how webcams etc are handled) - https://github.com/WICG/webusb/pull/86 - I think both feature policy AND the explicit URL whitelisting would be good. (At that time I also thought this would be a good idea though.)
See my issue https://github.com/WICG/webusb/issues/127 that I still stand behind :)
reillyeon
commented
5 years ago I think this thread has done a good job of documenting a number of use cases for this API. Thanks all!
With the ubiquity of USB based attacks I wonder, what is the use case for allowing typically insecure user program (web browser) to connect to USB?
What problem is this solving?