What are some interesting uses of WebUSB you have come across?

This is cool, but both safari and firefox will not implement it:

https://usefulangle.com/web-updates/post/80/firefox-decines-...

I assume this is because of security concerns.

Am I alone in thinking even its Chrome implementation is a massive security risk? The fact that users can grant any webpage COMPLETE control of a USB attached device is astonishing. Live webpages shouldn't be able to access this feature - can't wait for fake jailbreak and backup services to start cropping up.

ocdtrekkie · 3 years ago

It's an incredibly bad idea, at work for the one Chromium browser we permit (Edge), we have to use policies to block this and several dozen major security vulnerabilities that exist solely because they make cool Google I/O demos.

CamperBob2 · 3 years ago

So because a few bad actors might abuse it, and some users will fall into the traps laid for them, none of us get to use it.

I reject this way of thinking. Letting bad guys dictate how you live your life and how you use your computer just doesn't scale that well.

8K832d7tNmiQ · 3 years ago

It should be an opt-in feature behind browser flag or only available for enterprise users IMO.

moondev · 3 years ago

Security or privacy (thumbprinting)?

To be fair I'm still exploring it, once you choose a USB device when prompted, is that access for the session or longer?

ocdtrekkie · 3 years ago

I think it might be session, but the issue is that most users simply accept permission popups, often without consciously recognizing they did. I've cleaned out the notifications permissions on browsers for dozens of people; all of them denied allowing various websites to spam them with notifications.

spookthesunset · 3 years ago

That article is from 2020…

dmitriid · 3 years ago

Nothing has changed. Both Safari and Firefox are against most hardware APIs for reasons of security and privacy.

Sometimes they implement a seemingly innocuous API like WebMIDI, and boom, fingerprinting: https://twitter.com/denschub/status/1582730985778556931?s=20...

VIA, as you mentioned, is one of the niftiest I've seen.

I just wish that VIA was a bit more robust, particularly around macros... I want to do something that does separate key down and key up events with pauses between. Unfortunately, VIA doesn't do that. And worse, my keyboard (Keychron K3 Pro) doesn't yet have a public firmware build for QMK, so I can't do it directly in there either...

(I'm trying to write a macro for blanking the screen in macOS. Normally this is ctrl-shift-eject with eject held for a brief moment, but a macro of that rarely works from VIA. It needs a little delay at the end. If I add a no-op key to the end it then works, but also leaves ctrl and shift stuck down until I manually press each of them, which is no good.)

</digress>

jaygreco · 3 years ago

VIA is an awesome resource for the community and really lowers the bar on entry (our users no longer need to or are expected to compile their own firmware just to tweak keys) as well as just being convenient and nice to have.

My only gripe is that they moved to web-only from “native” apps instead of offering both, but if that’s what needed to happen to bump up the development velocity, so be it.

Re: the delays, I think I recently saw something about delays being possible in macros now, or perhaps soon — it might have been in QMK nightly, I can’t remember.

c0nsumer · 3 years ago

It's definitely not currently possible in VIA. It seems to be in normal QMK because the advanced documentation mentions it like it's a normal thing.

But I otherwise agree, it really does make things easy. I just wish it did a little bit more...

Deleted Comment

arkadiyt · 3 years ago

The reason hardware 2fa keys like yubikeys are unphishable is that the browser controls the usb communication with the hardware key and passes the origin of the page to it - the page itself can't spoof an origin.

But with WebUSB a page _can_ communicate directly to a yubikey and pretend it's being asked to authenticate on a different origin. It's been fixed now but it was an interesting bypass:

- https://www.yubico.com/support/issue-rating-system/security-...

- https://www.wired.com/story/chrome-yubikey-phishing-webusb/

dheera · 3 years ago

Hmm this might not quite be WebUSB territory but it would be interesting to put a Yubikey in the cloud so it could be accessed from anywhere.

djbeadle · 3 years ago

I've written this comment before bu what you need is a remotely controlled finger for pressing YubiKeys: https://bert.org/2020/10/01/pressing-yubikeys/

scrollaway · 3 years ago

This gets us back to TOTP seeds in password managers. IMO that's a good model; physical stuff gets lost, broken, stolen, etc (hence one reason why you should not rely on SMS: It relies on a physical SIM card, and a physical device).

What is the advantage of yubikey over TOTP in that scenario though?

mrtesthah · 3 years ago

Isn't that just like storing a PassKey in iCloud Keychain?

dsfgagdsaf · 3 years ago

what is interesting about that, and what purpose would it serve?

jaustin · 3 years ago

It's used for flashing the BBC micro:bit in both Microsoft MakeCode (https://makecode.microbit.org) and the micro:bit Python Editor (https://python.microbit.org). MakeCode uses it for lots of other devices like MakeCode Arcade too https://arcade.makecode.com )

It's amazing for students to be able to quickly get a program they've written in their browser onto a device in their hands that can respond to and interact with the real world.

Also great because with MicroPython and the Python Editor you get a standalone Python environment including REPL that's completely isolated from the PC - schools love it because no matter what the students do they're not going to break the host PCs.

(The firmware that implements web USB on the micro:bit's USB interface chip is open source, DAPLink https://github.com/ARMmbed/DAPLink)

TazeTSchnitzel · 3 years ago

I was looking into Android phone hacking and was surprised to discover https://webadb.com/. It's a web equivalent of adb (Android Debug Bridge), which can install applications on a device connected over USB, among other things.

f_devd · 3 years ago

Very cool project but knowing how much access adb gives to your phone I wouldn't trust it unless you're self-hosting.

devanl · 3 years ago

I've deployed an internal version of the upstream project (ya-webadb [1]) before. It can be built as a static site, and the upstream version publishes to GitHub pages, so it's really easy to self-host.

1: https://github.com/yume-chan/ya-webadb

favourable · 3 years ago

GrapheneOS uses WebUSB to flash Pixel phones:

https://grapheneos.org/install/web

c7DJTLrn · 3 years ago

https://flash.android.com/

as well. I don't use Android anymore, but it's seriously cool that you can reflash the OS from a webpage.

nextaccountic · 3 years ago

Cool and kind of dangerous for nontechnical users tbh

kdrag0n · 3 years ago

Yep, WebUSB code for the curious: https://github.com/kdrag0n/fastboot.js

BiteCode_dev · 3 years ago

beyondcompute · 3 years ago

Web MiniDisc:

https://github.com/asivery/webminidisc

joecool1029 · 3 years ago

This definitely wins for me, a full easy to use management software to convert and burn or copy music off minidiscs (something that wasn't possible before digitally on most decks), it's very cool. This is the direct link to it running: https://web.minidisc.wiki/

phcreery · 3 years ago

Web based esp32 flasher, specifically for squeezelite-esp32

https://sle118.github.io/squeezelite-esp32-installer/

upon_drumhead · 3 years ago

ESPHome in HomeAssistanat also makes use of WebUSB. It's a pretty seamless and nice interface.

https://www.esphome.io/guides/getting_started_hassio.html

gregmac · 3 years ago

Wled [1] install is similar: https://install.wled.me/

[1] https://github.com/Aircoookie/WLED