Update page should be incorporated on Solo Start page

[Karl-WE]

The https://update.solokeys.com/ can only be found via google. it is not listed in the FAQ and on the start page

It should be listed on the start page https://static.solokeys.com/en/start/

[conorpp]

Sadly the web update won't be working on future versions of Chrome or other browsers. So right now it's "deprecated", and I'll be working on a desktop app people can use instead.

[Karl-WE]

How the heck will people that are not technically skilled update this device?

Originally posted by @Karl-WE in https://github.com/solokeys/solo/issues/326#issuecomment-541441881

Can you imagine to create a Windows Store app, I am not 100% sure but PWA apps might work quite OS unrelated?

[ccinelli]

@conorpp Why will not work? It is obviously weird that the dialog flashes multiple times and the browser may see it as something to be blocked. But you should be able to sue the browser's USB support to do it.

[conorpp]

The desktop application will be more intuitive than the web application. We'll distribute from our website, I'll look into the Windows store.

Only Chrome has USB support, and it's blocked for certain devices like security security keys.

[szszszsz]

Only Chrome has USB support, and it's blocked for certain devices like security security keys.

@conorpp Can you tell, where I could find more details about that? I would like to know, whether the restriction is USB interface- or device-wise. For Windows I suppose, that browser will be cut out from the whole device anyway, once it presents its FIDO descriptor.

[conorpp]

I'm not sure if it's device or USB interface specific. I think initially just the VID/PID for known keys were blacklisted, but a they're working on a better solution. I'll look more into it.

https://www.wired.com/story/chrome-yubikey-phishing-webusb/

When WIRED reached out to Google, security product manager Christian Brand responded that the company became aware of the researchers' attack after their Offensive Con presentation. While Google considers the attack an edge case, the company is working with U2F standards body the FIDO Alliance to fix the problem. "We are always appreciative of researchers’ work to help protect our users," Brand wrote in a statement. "We will have a short term mitigation in place in the upcoming version of Chrome, and we're working closely with the FIDO Alliance to develop a longer-term solution as well. We aren’t aware of any evidence that the vulnerability has been exploited."

[nickray]

WebUSB is only supported by Chrome-ish, Firefox actively is against it becoming a standard. Inside WebUSB, all HID is blacklisted (https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/LZXocaeCwDw), the idea being to use WebHID (WIP). I think they want WebUSB only to be for custom drivers for custom hardware with custom USB classes.

[My1]

Can you imagine to create a Windows Store app, I am not 100% sure but PWA apps might work quite OS unrelated?

can they run as admin? in w10 1903 only admin processes can access Fido2 devices directly

[patoberli]

The "old" webupdate worked fine for me in the past with several versions of Edge on Windows 10.

[Karl-WE]

The "old" webupdate worked fine for me in the past with several versions of Edge on Windows 10.

I can agree with that. Furthermore the current release of Edge Dev has fixed an issue where you would be stuck in an authentication loop between FIDO2 pin and local Windows 10 Hello PIN

[My1]

depends on what edge with which w10. if it was chrome-edge on <1903, it is to be expected.

potentionally even real edge on w10 <1903 may have worked as aparently 1809 had Fido functionality, and 1903 killed a bit of it (resident keys for example dont seem to work in 1903+)