Google's plan for Chrome capability has a big security risk
Apple, Mozilla and Brave don't want web apps to talk directly to USB, Bluetooth and NFC hardware.
Stephen Shanklandprincipal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertiseprocessors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, scienceCredentials
I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Google is working to dramatically increase the power of web browsers. There's one big problem: The plan could create new security problems that undermine the web.
The web has had a remarkable track record of thwarting attacks. You can generally click a link and trust that your browser will protect you. By contrast, app stores require constant monitoring to keep phone malware away while confirmation dialog boxes stand in the way of problem software on your PC.
Web USB on a PC's browser could make it easier to program small Arduino computers that are popular among hobbyists. But if a malicious web app successfully takes control of the Arduino, a hacker could use USB's privileged status to mount a new attack right back on the PC, something Mozilla Chief Technology Officer Eric Rescorla calls a "boomerang attack." Web USB would be exposed to the internet devices, like voting machines and insulin pumps that were designed for a more protected environment, he added.
The new web technology could make your life easier, especially if you're using a Chromebook powered by Google's Chrome OS. But Google and allies, such as Intel, haven't convinced skeptics the technology won't also make life easier for the bad guys. And let's face it, we already have plenty of security worries.
"Enabling a lot of features by default that are not being used by the majority of people seems like a risk not worth taking," said James Loureiro, director of UK research for cybersecurity firm F-Secure.
That's a notable stance for Loureiro, a programmer who's generally impressed with browser security. As we spoke, he was fuzz testing a browser, trying to find vulnerabilities by pounding its interfaces with random data. He sees native apps as the weak security link. After writing browser attacks for the high-profile Pwn2Own hacking contest, he concluded the best browser-based attacks actually hand off control to native apps with feebler security.
Google's work is part of Project Fugu, an effort to make the web more capable so it's not eclipsed by apps like Instagram or Apple News that run natively on your phone or PC. Google leads allies like Microsoft and Intel. Many web developers are also onboard. The idea is to let a click on the web replace the comparatively cumbersome process of finding, downloading and installing ordinary apps that run natively on operating systems like Windows, MacOS, iOS and Android. Developers could benefit because they'd only need to write a single web app rather than a handful of native apps.
Fugu is much broader than Web NFC, Web Bluetooth and Web USB. But to meet its full potential, Fugu fans will have to persuade skeptics like Apple to join in, and Apple is downright frosty about some of Google's plans. Security and privacy are its top concerns.
Apple also has a vested interest in native apps. It has an enormous business selling iPhones and is a big fan of apps that run natively on it. Those apps often help keep people in the iPhone fold, and developers pay Apple up to 30% of what they make on app store sales.
Google's security work
Google, the foremost champion of this more powerful web, believes security is well in hand. It also has a big market to protect; its Chrome browser accounts for 65% share of usage, dominating its rivals.
To try to secure Web USB and related features, Google blocks particular websites from accessing devices and blocks websites from using hardware devices known to be vulnerable. With Web USB, websites can only use the feature after an active user gesture that helps protect against automated attacks. To use the interfaces, users must grant permission through a dialog box. And Chrome limits those permissions, so for example, a website only can access the specific Bluetooth headset you approved.
"Our focus is on trying to convey to people something they understand about what's going on and let them make an informed decision," said Ben Goodger, a founding member of Google's Chrome team who now directs its Web Platform team.
Google has a strong browser security track record. "Security is one of the four original principles of Chrome," Goodger said. Indeed, Google pioneered the now universal browser "sandbox" that limits web software to protective confinement. And it was first to build extra browser isolation features to thwart a newer class of "Spectre"-style attacks.
Interfaces like Web NFC and Web USB "pose new threats" that could undermine faith in web security, fellow Apple Safari programmer Ryosuke Niwa said in another post. "If we continue this path, at some point (or maybe we're already there), the web will turn into any other non-web platform where ordinary users can only use well known, trusted applications or visit well known, trusted websites just like how native apps work today."
Browser risks must be judged against the risks of native apps that also get lots of privileges. Evaluating and managing native app risks requires ordinary people to become sophisticated system administrators, Goodger said. And while new browser interfaces to hardware pose risks, website code runs in a browser's protective sandbox, unlike native software whose higher privileges are useful to attackers.
In Intel's view, Web USB could help hospital staff plug a CPR training mannequin into a computer to upload its data to a website -- even if they can't install software on the computer, said Kenneth Rohde Christiansen, the chipmaker's senior web platform architect. Or consumers could configure gamepads and webcams without having to find installation software.
Privacy is another concern. Browser startup Brave uses Google's open-source Chromium foundation, but it's removed Web Bluetooth, doesn't support Web NFC and plans to remove Web USB.
"The vast majority of these interfaces are not useful for the vast majority of websites, and many of them have well-documented privacy or tracking attacks," said Peter Snyder, a senior privacy researcher at Brave. He worries there's no way to add Web USB, Web NFC and Web Bluetooth without privacy harm or "unmanageable user permission fatigue" triggered by ceaseless dialog website boxes.