| ▲ | zb3 9 hours ago |
| They can click everything away, so maybe educate them or buy an ios device for your relatives instead of breaking computing for everyone else. |
|
| ▲ | lpcvoid 8 hours ago | parent | next [-] |
| Fair, but remember that we are the <~1% of people who even know what webusb is. I'm not sure I share your view on this. Maybe an about:config switch to enable it would be enough to stop casuals from pwning their peripherals. |
| |
| ▲ | barnabee 8 hours ago | parent [-] | | I’d be ok with an about:config switch, but given that many people will install anything, paste arbitrary text into terminals, and share their password/pin code with complete strangers for almost no reason, I think we need to stop making our tools less powerful in pursuit of an impossible goal. |
|
|
| ▲ | Orygin 8 hours ago | parent | prev | next [-] |
| > breaking computing for everyone else How is not implementing a Draft spec, which may compromise security badly, breaking computing? Overreacting much? |
| |
| ▲ | zb3 7 hours ago | parent [-] | | This is not just an isolated incident, it's the whole trend of limiting capabilities in the name of security and that's what I was referring to. However in this particular case, even the security argument doesn't hold, either I: a) know that I want to use USB - in that case I'll switch browsers or download a native binary (even more unsafe), it's not that I'd decide that I no longer want to flash my smartphone b) I don't understand what's happening but I follow arbitrary instructions anyway - WebUSB changes nothing. | | |
| ▲ | Orygin 5 hours ago | parent | next [-] | | A native binary can be verified by anti malware systems, and once installed and working, poses no security risk. A 0day in a browser for the WebUSB system would allow any website to mess with arbitrary USB devices connected to your computer. While the browser sandbox is generally safe, it is also a huge target, and with a security risk like that, it wouldn't surprise me if it's a prime target for black hats. | |
| ▲ | skydhash 7 hours ago | parent | prev [-] | | So instead of using trusted vendors or requiring tools with auditable code, we just allow everyone to be able to access the user’s devices? | | |
|
|
|
| ▲ | troupo 7 hours ago | parent | prev [-] |
| > They can click everything away, so maybe So maybe don't populate the browser with dozens of features requiring permission popups? |
