Web USB
-
Can anyone tell me why it would be different that a mount point in a unix system?
Because that would be opposite of what we're talking about here? I think? Not sure.
-
@Tsaukpaetra said in Web USB:
@sloosecannon said in Web USB:
@Tsaukpaetra Well it looks like it's broken for me too. So.....
Ooops
Fixed it by tacking on an extra www to the beginning of the domain.
Also, apparently they mess with the size of scrollbars on that page...
huh.
Yea, gubernment sites are crappy like that.
But they don't need a Java applet to log in (you click log in, it'll ask you for a cert. Actually, it might just fail. But if you had a CAC, it would ask you for a cert)
-
Can anyone tell me why it would be different that a file mount point in a unix system?
because file mount points aren't generally accessible from websites?
-
@Tsaukpaetra I am not sure. Initial impressions if the OS is taking control of the security that is probably the right route.
-
@sloosecannon What I mean is that if you use a file system api from JS that uses the OS filesystem api underneath. Most USB devices on *nix are done the same way.
-
@lucas1 If it was just a simple block device, that's what it would be. Instead, they're wanting to do much more complicated stuff, and that's where the stupid really bites, since predicting what sort of problems will crop up when arbitrary web pages can interact with the reprogrammable input devices on your system is both trivial (for cynics like us) and really hard (for anyone trying to secure things for real).
FWIW, I can remember trolling my fellow undergraduates by putting links to
file:/dev/mouseon web pages. ;) This is way worse…
-
Unlike CORS there is intentionally no option for a device to have an "allow all" policy. In Chrome's implementation (as recommended in the specification) the requesting origin must be one listed by the device and the user must ok the access. Both are required because we recognize both that sites should not be immediately trusted and that users should not be the only gatekeepers for the security of the system.
This API is not for any of the standard device classes listed above because they already have higher-level web APIs. There is no reason for a UVC, USB Audio or USB Storage device to present the necessary descriptors to be accessible via this API. Think instead about the class of devices that do not implement one of these standard classes and the threat model that currently exists. Since starting to work on the web platform I've become rather alarmed by the amount of native software I am forced to install in order to use devices I own. This code could be doing literally anything. In contrast this specification proposes allowing sandboxed web applications access to a single device, only with my permission and with the browser notifying me of that access. I think that's the less risky proposition.
This sounds much less scary to me.
-
@dkf oh I get it now. Thanks.
-
-
@sloosecannon said in Web USB:
THAT IS NOT THE REASON.
We've detected that you've unplugged your AdView™ USB device. Please insert it and reload the page to view this article.
-
FWIW, I can remember trolling my fellow undergraduates by putting links to file:/dev/mouse
So could you do ajax to read from
file:/dev/keyboardand then post it tohttp://whereever?Quick and easy keystroke logging.
-
@Tsaukpaetra I checked the cert they're using, and it's using SHA-1. Which is known to be, in a word, broken.
-
@RaceProUK lol.
Also not surprising.
-
So could you do ajax to read from
file:/dev/keyboardand then post it tohttp://whereever?This was before Javascript… when we had an elegant web for a more civilised age. Also, the effect wasn't what you're expecting anyway: the Xdisplay objected to having its input devices opened out from under its feet and would promptly crash, triggering the complete immediate termination of the victim's desktop session. ;)
Doing it when the sucker was in the same room wasn't as good an idea after all.
-
Would this work on a Sun Ray like thin terminal because I think this is what some guys would do to prank he other guys (I was rocking a iBook G4 12inch 1.2 ghz at the time and only use he sun machines for printing).
-
@sloosecannon said in Web USB:
But they don't need a Java applet to log in (you click log in, it'll ask you for a cert. Actually, it might just fail. But if you had a CAC, it would ask you for a cert)
It'll fail if you don't have a client certificate derived from one of the DoD CAs, depending on server configuration. But yeah. Normal smart card/token authentication is just use of a client certificate in SSL/TLS and it's been working without special browser add-ins and plugins for 15 years.
-
@heterodox I will need to read this all tomorrow, this is my big worry when doing web apps, I will leave everything open.
-
I guess what we need now is a firewall for USB, video, and audio devices; a shim that will sit just above the kernel drivers and check if Chrome is trying to interact with these devices. If so, then the firewall can return "no devices found"1
1. Or a fake USB descriptor with the string "get off my lawn" for us graybeards
-
@bb36e I don't understand how this would help.
That's so you can have the print sever run a headless browser with a driver in JavaScript that's being downloaded anew from the manufacturer's site for every print job. Or better, a graphical browser with a script-controlled mouse pointer. Progress!
-
Oh, that's neat!
It would be neater if it consisted of a standard USB A plug and A socket with 50mm of twin flex in between. Or possibly the same deal in µUSB so you just use it at the phone end.
I am always deeply suspicious of rigid casings with a plug in one end and a socket in the other. It's just too easy for them to turn into little crowbars and wrench the crap out of whatever you plug them into.
does cutting a few cables really require a couple of sq. cm of electronics?
Yes it does, because Apple. You need resistors with specific values hooked between data+, data- and the power pins so that an Apple device will read the socket as being capable of delivering 2A; otherwise it will limit its own charging draw to 500mA and take forever.
-
@gordonjcp said in Web USB:
made out of recycled cast iron, from those failed 1980s GM engine blocks that went all porous
and they come pre-inoculated with I-don't-care-to-know-what.
-
@flabdablet said in Web USB:
does cutting a few cables really require a couple of sq. cm of electronics?
Yes it does, because Apple. You need resistors [...]
Don't forget the 32-bit MCU with 1 GB of flash to prevent counterfeiting.
-
@heterodox said in Web USB:
@sloosecannon said in Web USB:
But they don't need a Java applet to log in (you click log in, it'll ask you for a cert. Actually, it might just fail. But if you had a CAC, it would ask you for a cert)
It'll fail if you don't have a client certificate derived from one of the DoD CAs, depending on server configuration. But yeah. Normal smart card/token authentication is just use of a client certificate in SSL/TLS and it's been working without special browser add-ins and plugins for 15 years.
Precisely. Pretty sure this kind of stuff was supported in IE 6.0
So, anyone using a Java applet is, in a word, doing it wrong.
-
@heterodox said in Web USB:
DoD CAs
Now, to install those, you need to run a Java program, or at least you did the last time I did that.
But that's an entirely different thing :)
-
@flabdablet said in Web USB:
Yes it does, because Apple.
While Apple is deserving of plenty of shit, and then some, IIRC this is a protection so you don't fry your PC USB ports or similar, which are only capable of sending 500mA (and might do exciting things when attempting to send more). IIRC similar shenanigans are required with USB C to A, with improperly designed cables leading to BS like found here.
-
@sloosecannon said in Web USB:
only capable of sending 500mA (and might do exciting things when attempting to send more).
Yes, they are only capable of sending 500mA. No, they don't do exciting things when you try to send more. All they do is current limit or shut off the power; USB is designed to be tolerant of short circuits.
In theory, a USB target device is not supposed to draw more than 100mA until it's negotiated with its hub or host for more. Most PC USB ports will happily supply up to 500mA without any negotiation beforehand before current limiting kicks in; most impose lower limits when the PC is on standby power. USB chargers don't care - they just current-limit to their design maximum.
I guess if you were going to design a gold-plated Rolls-Royce charge-only adapter intended to extract maximum available power regardless of what you plugged it into, you could put a little microcontroller in it that basically acts as a USB firewall, relaying power negotiation packets between device and host but not letting anything else through.
The rationale for Apple's resistor-sensing arrangements is, I believe, that their USB chargers are designed to shut down entirely if too much is drawn from them, but they don't have any smarts on board to do the proper power-draw negotiation. So instead of tossing in a 20 cent microcontroller to do that properly, they use a couple of 0.1 cent resistors that the devices can sense to know which Apple charger they're connected to. Samsung went the same way, but they used a different convention for resistances than Apple. Which is why you can't fast-charge an iPad off a 2 amp Samsung USB charger - the iPad doesn't see the D+/D- pull-up and pull-down resistances it's expecting for an Apple 2 amp iPad charger or 1 amp iPhone charger, so it limits its draw to 500mA.
-
@flabdablet well my understating is that it's the same concern as with the Type-C cables that might send too much current. Maybe I'm missing something here?
-
@flabdablet said in Web USB:
You need resistors with specific values hooked between data+, data- and the power pins so that an Apple device will read the socket as being capable of delivering 2A; otherwise it will limit its own charging draw to 500mA and take forever.
In my experience, Apple devices refuse to charge at all if those resistors don't exist. Standards-compliant active USB hubs are completely ignored.
Edit: Probably because they don't even negotiate the 500mA correctly?
-
@sloosecannon said in Web USB:
might send too much current
Can't be done. You can't just wedge more amps down a wire than the device at the end will soak up. Well, not unless you use a higher voltage than it's designed for. As long as USB power is 5V nominal, it can't force two amps into a device that only wants 500mA.
I believe some of the upcoming USB stuff will be capable of raising the supply voltage as high as 20V but that really will have to be negotiated for.
-
Also in the news:
Web Bluetooth
Sites can now interact with Bluetooth Low Energy (BLE) devices using the Web Bluetooth API on Android, Chrome OS, and Mac. The Web Bluetooth API uses the GATT protocol, which enables web developers to connect to bluetooth devices such as printers and LED displays with just a few lines of JavaScript. Web Bluetooth can also be combined with Physical Web beacons to discover and control nearby devices. To get started, check out these samples and demos on GitHub.Chrome 56 Beta announcement
-
singing lightbulbs
...
-
@RaceProUK Sounds like incandescent light-bulbs are making a return?
-
Maybe they meant singeing lightbulbs.
-
Also in the news:
Web Bluetooth
Sites can now interact with Bluetooth Low Energy (BLE) devices using the Web Bluetooth API on Android, Chrome OS, and Mac. The Web Bluetooth API uses the GATT protocol, which enables web developers to connect to bluetooth devices such as printers and LED displays with just a few lines of JavaScript. Web Bluetooth can also be combined with Physical Web beacons to discover and control nearby devices. To get started, check out these samples and demos on GitHub.Chrome 56 Beta announcement
Am I the only one here who remembers the DNS DDOS from a couple of months ago that happened because of exploited 'smart' devices? Are they smoking crack?
-
@bb36e there's been multiple DDOSes from IoT devices now, not just on DNS. Maybe some of the IoT abusers are lobbying for this shit to be a thing to make their life easier.
-
@flabdablet To be fair the used engine oil will probably kill off any bacteria or viruses. Might be a little carcinogenic, is all.
-
@bb36e I for one look forward to empty streets when everyone's smart car get DDoS'd by everyone's smart spoons and smart underwear and smart wallpaper, and I'm still trucking along in a decades-old vehicle with no Internet connection.
-
@mott555 You know, all those things can be implemented properly and securely, it's just that nobody cares enough to do it.
-
@sloosecannon said in Web USB:
Now, to install those, you need to run a Java program, or at least you did the last time I did that.
Preferred method is now to use DISA's InstallRoot tool which can be run on Windows with non-administrative permissions. Use of any installation mechanism is only really necessary due to the volume of intermediate CAs though. (Installing intermediate CAs wouldn't even be necessary if we could be sure that the end entity machine would have Internet access for use of AIA extensions.)
-
@heterodox Right, IIRC the InstallRoot tool was an executable jar file. Or it was the last time I did that :)
It's been a while though, since you only need to do that once
-
@flabdablet said:
@sloosecannon said in Web USB:
might send too much current
Can't be done. You can't just wedge more amps down a wire than the device at the end will soak up. Well, not unless you use a higher voltage than it's designed for. As long as USB power is 5V nominal, it can't force two amps into a device that only wants 500mA.
I believe some of the upcoming USB stuff will be capable of raising the supply voltage as high as 20V but that really will have to be negotiated for.
Right, I get that. I think the concern is with sending more power than the sending device can safely send.
-
I think the concern is with sending more power than the sending device can safely send.
High Energy
-
@sloosecannon It's a .NET application now, with optional command-line tool, GUI, Windows service to keep things up to date, utilizes Windows Installer and targets Microsoft certificate stores, Firefox NSS store, and any Java installations it can find on the system (cacerts). Pretty sweet.
-
@sloosecannon said in Web USB:
They do a cert request from the system, and it works with a CAC (smartcard) without having to have any plugins installed.
Isn't that only true for IE?
-
@boomzilla Nope, works in Chrome too. Maybe Firefox, haven't checked but see no reason it wouldn't
@heterodox said in Web USB:
@sloosecannon It's a .NET application now, with optional command-line tool, GUI, Windows service to keep things up to date, utilizes Windows Installer and targets Microsoft certificate stores, Firefox NSS store, and any Java installations it can find on the system (cacerts). Pretty sweet.
Oh, nice! The old one was a little bleh lol
-
I think the concern is with sending more power than the sending device can safely send.
High Energy
Pretty sure it's out of spec for any human to send lasers out of their eyes. He should get that checked on :P
-
@sloosecannon said in Web USB:
Nope, works in Chrome too. Maybe Firefox, haven't checked but see no reason it wouldn't
Uh...then how do you explain stuff like this?
- Windows 7 (and below) users Download ActivClient 6.2.0.50 from links on ActivClient page, and then update it.
-
@boomzilla said in Web USB:
@sloosecannon said in Web USB:
Nope, works in Chrome too. Maybe Firefox, haven't checked but see no reason it wouldn't
Uh...then how do you explain stuff like this?
- Windows 7 (and below) users Download ActivClient 6.2.0.50 from links on ActivClient page, and then update it.
Probably talking about OWA... 2003 or whatever the old crappy IE-only version is. @heterodox probably has better info than I do on that, since I don't use FF or Windows 7 (and below) :)
MilitaryCAC is kinda out of date sometimes too. Kinda really out of date. Most of the info still applies, usually, but not always...
-
@sloosecannon I just thought that talking to smart cards required some additional software for both Chrome and Firefox (like ActivClient or opensc). They always have in my experience.
-
@boomzilla Maybe back with XP or something. The Windows Crypto APIs have been used by Chrome for as long as I've been using Chrome with smartcards so... ¯\(ツ)/¯
