- From: Roger Hågensen <rescator@emsai.net>
- Date: Tue, 28 Dec 2010 19:07:32 +0100
On 2010-12-28 09:53, Silvia Pfeiffer wrote: > How about making a concrete proposal as to what it should look like? > If Google was to implement it and turn it into a concrete proposal, I > wouldn't have a problem with it either. As it is right now the spec > for usb/RS232 is useless IMHO. > > Silvia. Yeah! And not to mention the security bomb. I don't like the idea of a web app accessing my USB stick without my permission. So that means that all browsers would need to ask the user for permission. That is at the Browser level. Then there is the OS and/or driver level which all those wanting this in this list so far is forgetting. OS priviledge levels. An administrator (school, work, library, fire/police/hospital, or home network) might have set the OS to not allow a regular user to access say a USB stick or other USB or serial device with their regular user account. Windows Vista+, Mac OS X, and Linux does this. Unless something was blocked by an admin, then anything available in usermode is available to anything else in usermode. So if all browsers supported an arbitrary USB/serial device API like maybe get device config, set device config, read data, write data, those are the basics right? (any more than that and it's no longer generic) And they would also need to allow the user to explicitly enable which device should be exposed. Maybe the browser could when asked by a web app to access a device, simply show a prompt informing the user that this/that app wants device access, then show all devices the OS presents (Readable/Writable state etc. admin disabled ones are not listed etc.) in a list unless the web app asked for a specific device, in which case only list the matches or exact match. If the user allows the webapp access, then and only then does the webapp get access to the device/or devices the user specified. The webapp should also be marked as being secure (HTTPS) or not, and the user should be able to set the browser to ignore "non-secure" webapps (HTTP) etc (can webapps be signed with a certificate at all?). Don't get me wrong, I understand those of you advocating so hard for this in the list, but the issue is that weather data and test stats although similar are different enough that a generic API is needed, and a generic API needs a lot of security precautions as I'm sure many here may have a USB harddrive hooked up to the system, the last thing you want is for some webapp that seems like it's just some microphone voice FX toy suddenly barge through your harddrive right? Or worse, that weather app starts poking around your microphone, or webcam. A lot of people has certain devices hooked up, since USB is so versatile there is anything from: recording devices (mic, cam, etc) to output devices (speakers, headphones, mini displays/embed keyboard screens, picture frames etc), to networking (network cards/routers, controllers for household electrics), and who knows what else. So the remark someone made that the security trade is worth it? Nah-ah. Nothing on the net should ever have direct access to any input/output/storage device or similar at all. Any "webapp" (I use "webapp" as I consider HTML, Java, Flash in the same boat in this particular issue) should go through 3 layers of security. The Browser layer (the listing/prompt I described above), The User layer (if the OS supports it, let the user dictate which software can use which devices), and then the OS layer (admin settings, intranet, driver config etc). I know some people here are drooling at the idea of driverless USB devices that a webapp talks to directly, but it's never going to happen. The OS (or admin configuration) still control which devices are available, even if they are HID. And no browser would allow blind access to the OS's devices, a few major scandals and people would flee from that browser like crazy. (I think almost every major browser dev here has been though such a crappy event and it ain't fun.) Now, I'm no USB expert, but isn't it possible for a USB device to provide a user level driver when being plugged in? If so then do that for the device (userlevel USB HID device driver?) Then provide a url to the webapp. The browser will/should ask the user if it's ok for webapp zzzzz to access the "blah" device, user clicks yes and off ya go. Doesn't sound that overly complicated to me (from a user standpoint). As a dev I know that an admin can (and should be able to) disable userlevel drivers (or ability to use them) etc. for some regular users in the OS. Likewise a school, library or public system or public service system might want to config the browser to not allow webapps to access hardware directly, in which case the browser would either turn up with a box saying "No Devices Found" or "This Device is not allowed on this system" or something.. If we allow webapps to tunnel straight through the Browser, the User, the OS, the Drivers, and access the Device directly you are gonna have a Peek-a-Boo hell on your hands as people are usually assholes with stuff like this. And then the fact that your house lights keeps flashing on/off (USB house lighting control hooked to a PC maybe?) all night will be the least of your worries. Some of the people here are only thinking of the device "they" want to plug in and work with. But look around you right now, what else is a serial device hooked to your computer? USB stick? Mouse? Keyboard? Webcam? Headset/Mic? USB Hub? House controllers? Printer? Scanner? Your portable camera currently hooked in since you copied off the photos and it's still charging? Search the net for weird USB devices, if it's available for sale, there is at least one owner of such a device out there. Oh and don't forget, aren't there various USB "body" interaction devices out there? (and as a sidenote, there are even USB sextoys, the last you want to hear as a dev is that you are responsible for making it easy for some hacker to hack someones "toys" right? Though I'm sure the lawyers would love it.) And isn't there USB medical gear available? To assist some doctors and patients to do sessions remotely, or regulate dosage? Now the manufacturer of that may have secured their interface and API well... But then here comes the webapp-access-any-USB-device API? Outch... 1. A Weather device API for Webapps, fine no problem. 2. Let any Webapp access any Device? Bad idea and not even close to the same thing as #2. Don't forget the big picture, even something minor may have a major impact, if implemented incorrectly. -- Roger "Rescator" H?gensen. Freelancer - http://www.EmSai.net/
Received on Tuesday, 28 December 2010 10:07:32 UTC