Google is working to dramatically increase the power of web browsers. There's one big problem: The plan could create new security problems that undermine the web.
The web has had a remarkable track record of thwarting attacks. You can generally click a link and trust that your browser will protect you. By contrast, app stores require constant monitoring to keep phone malware away while confirmation dialog boxes stand in the way of problem software on your PC.
One part of Google's plan lets browsers communicate directly with hardware devices through USB ports, and over Bluetooth and NFC wireless links. This new class of web app technology, which includes abilities called Web USB, Web Bluetooth and Web NFC, could allow you to install an operating system on your phone, update your calculator's firmware, fetch data from your science fair project's sensor, and receive contact details from a friend's phone over NFC.
The risks, however, are considerable. For example, Bluetooth, USB and NFC are used to connect hardware security keys to PCs and phones for strong two-factor authentication. So one danger is hackers using a website to steal your login credentials. Indeed, Web USB was a problem for hardware security key maker Yubico, which had to deal with a serious Web USB vulnerability in 2018.
Web USB on a PC's browser could make it easier to program small Arduino computers that are popular among hobbyists. But if a malicious web app successfully takes control of the Arduino, a hacker could use USB's privileged status to mount a new attack right back on the PC, something Mozilla Chief Technology Officer Eric Rescorla calls a "boomerang attack." Web USB would be exposed to the internet devices, like voting machines and insulin pumps that were designed for a more protected environment, he added.
The new web technology could make your life easier, especially if you're using a Chromebook powered by Google's Chrome OS. But Google and allies, such as Intel, haven't convinced skeptics the technology won't also make life easier for the bad guys. And let's face it, we already have plenty of security worries.
"Enabling a lot of features by default that are not being used by the majority of people seems like a risk not worth taking," said James Loureiro, director of UK research for cybersecurity firm F-Secure.
That's a notable stance for Loureiro, a programmer who's generally impressed with browser security. As we spoke, he was fuzz testing a browser, trying to find vulnerabilities by pounding its interfaces with random data. He sees native apps as the weak security link. After writing browser attacks for the high-profile Pwn2Own hacking contest, he concluded the best browser-based attacks actually hand off control to native apps with feebler security.
Google's work is part of Project Fugu, an effort to make the web more capable so it's not eclipsed by apps like Instagram or Apple News that run natively on your phone or PC. Google leads allies like Microsoft and Intel. Many web developers are also onboard. The idea is to let a click on the web replace the comparatively cumbersome process of finding, downloading and installing ordinary apps that run natively on operating systems like Windows, MacOS, iOS and Android. Developers could benefit because they'd only need to write a single web app rather than a handful of native apps.
Fugu is much broader than Web NFC, Web Bluetooth and Web USB. But to meet its full potential, Fugu fans will have to persuade skeptics like Apple to join in, and Apple is downright frosty about some of Google's plans. Security and privacy are its top concerns.
Apple also has a vested interest in native apps. It has an enormous business selling iPhones and is a big fan of apps that run natively on it. Those apps often help keep people in the iPhone fold, and developers pay Apple up to 30% of what they make on app store sales.
Google's security work
Google, the foremost champion of this more powerful web, believes security is well in hand. It also has a big market to protect; its Chrome browser accounts for 65% share of usage, dominating its rivals.
To try to secure Web USB and related features, Google blocks particular websites from accessing devices and blocks websites from using hardware devices known to be vulnerable. With Web USB, websites can only use the feature after an active user gesture that helps protect against automated attacks. To use the interfaces, users must grant permission through a dialog box. And Chrome limits those permissions, so for example, a website only can access the specific Bluetooth headset you approved.
"Our focus is on trying to convey to people something they understand about what's going on and let them make an informed decision," said Ben Goodger, a founding member of Google's Chrome team who now directs its Web Platform team.
Google has a strong browser security track record. "Security is one of the four original principles of Chrome," Goodger said. Indeed, Google pioneered the now universal browser "sandbox" that limits web software to protective confinement. And it was first to build extra browser isolation features to thwart a newer class of "Spectre"-style attacks.
Apple is one of the biggest obstacles to Google's web vision, not just because it makes the widely used Safari browser but because it requires all browsers on iPhones and iPads to employ its own WebKit browser foundation. Apple bars web technology it doesn't like from every iPhone on the planet.
And it doesn't like Web USB, Web Bluetooth and Web NFC.
"We oppose this feature and will not implement it," Maciej Stachowiak, a Safari leader, said in a mailing list post about Web NFC.
Interfaces like Web NFC and Web USB "pose new threats" that could undermine faith in web security, fellow Apple Safari programmer Ryosuke Niwa said in another post. "If we continue this path, at some point (or maybe we're already there), the web will turn into any other non-web platform where ordinary users can only use well known, trusted applications or visit well known, trusted websites just like how native apps work today."
Browser risks must be judged against the risks of native apps that also get lots of privileges. Evaluating and managing native app risks requires ordinary people to become sophisticated system administrators, Goodger said. And while new browser interfaces to hardware pose risks, website code runs in a browser's protective sandbox, unlike native software whose higher privileges are useful to attackers.
In Intel's view, Web USB could help hospital staff plug a CPR training mannequin into a computer to upload its data to a website -- even if they can't install software on the computer, said Kenneth Rohde Christiansen, the chipmaker's senior web platform architect. Or consumers could configure gamepads and webcams without having to find installation software.
"I see a lot of companies that have these devices and don't want to rely on native apps," he said. Apps go out of date, too. The forthcoming Windows 10X might not be able to run old-school Windows software.
Firefox and Brave also object
Privacy is another concern. Browser startup Brave uses Google's open-source Chromium foundation, but it's removed Web Bluetooth, doesn't support Web NFC and plans to remove Web USB.
"The vast majority of these interfaces are not useful for the vast majority of websites, and many of them have well-documented privacy or tracking attacks," said Peter Snyder, a senior privacy researcher at Brave. He worries there's no way to add Web USB, Web NFC and Web Bluetooth without privacy harm or "unmanageable user permission fatigue" triggered by ceaseless dialog website boxes.
Another objection came from Firefox programmer Adam Roach, who believes there's no simple way to let people assess the risks of the interfaces when websites seek permission through a browser dialog box.
Mozilla would love to offer technology like Web USB, but not if it undermines an enormous advantage the web has over native applications today.
Security is "the web's superpower," Rescorla said. "It's the application platform you can run anything on. We don't want to squander that."
Originally published July 29, 5 a.m. PT.
Update, 9:42 a.m. PT: Clarifies that Brave plans to remove Web USB support though it hasn't yet done so.