Sure, we need security UX experts to make sure it's being adequately communicated. The answer isn't "Just make them install an EXE, then it's not our problem"!
Conversation
The first step to understanding whether the UX is correct is to survey the current non-malicious uses of WebUSB and understand whether to support each use case, whether a different API should be exposed for it instead, and whether users can navigate the UI to stop harmful uses.
2
1
So, what about this use case?
twitter.com/GrapheneOS/sta
In theory, the browser could have a fastboot API and could explicitly hard-wire a list of devices with a proper OEM unlocking toggle, user confirmation for `fastboot unlock` and verified boot. Can't really see it happening.
Quote Tweet
An experimental version of our web-based installer for GrapheneOS is now available:
grapheneos.org/install/web
This can be used from browsers with WebUSB support. Most Chromium-based browsers are supported including Chrome, Edge and Brave. No need to run any additional software.
Show this thread
1
Updating firmware on other kinds of USB devices seems like a legitimate use case. It would be pretty cool if I could go the Logitech website and update the firmware for my mouse on an arbitrary OS rather than installing their software on Windows. What if I don't have Windows?
1
1
What if I don't want to install / run Logitech's sketchy software on my Windows installation? By the way, I really don't want to do that. That means I don't update the firmware on my wireless mouse. That seems like a bad thing. I would assume there are security updates for it.
2
1
I guess I could install Windows in a VM, forward the USB device to it, install the Logitech bloatware and update my mouse that way. I'd prefer going to their site and installing the firmware from there, and trusting the combination of their site + firmware signature verification.
1
I'm not even sure if wireless keyboards have learned to encrypt traffic yet (with something other than fixed XOR) or not
1
1
I use a wired keyboard, but I can't stand a non-wireless mouse. I use one of these with the horrible LED disabled: logitechg.com/en-us/products. I had to have Logitech's software installed at one point to configure it, and I never want to have it again. It's pretty horrifying.
1
1
Logitech has some form of authenticated encryption with a pairing system. The receiver the device comes with is already paired and you can buy a generic receiver able to pair with multiple of their devices. No clue if it's actually any good but they do have some form of security.
2
well, they were the vendor that used fixed XOR... in fairness, I've programmed that silicon, and you can't fit anything remotely secure into it and still have it function like a mouse.
1
2
logitech.com/images/pdf/roe says they use 128-bit AES but that isn't very reassuring to me since it could mean they use AES in ECB mode without a MAC or proper authentication / key exchange. I don't really expect that it's very secure, but I'd like security updates if available.