Skip to content

Mobile and web technologies

New technologies in everyday accessibility

  • Home
  • Mobile technologies
  • Web technologies
  • Contact
  • Home
  • 2022
  • September
  • 3
  • Google’s plan for Chrome capability has a big security risk

Google’s plan for Chrome capability has a big security risk

Posted on 03.09.2022By MobiletechNo Comments on Google’s plan for Chrome capability has a big security risk
Web technologies

Google is working to dramatically increase the power of web browsers. There’s one big problem: The plan could create new security problems that undermine the web.

The web has had a remarkable track record of thwarting attacks. You can generally click a link and trust that your browser will protect you. By contrast, app stores require constant monitoring to keep phone malware away while confirmation dialog boxes stand in the way of problem software on your PC.

One part of Google’s plan lets browsers communicate directly with hardware devices through USB ports, and over Bluetooth and NFC wireless links. This new class of web app technology, which includes abilities called Web USB, Web Bluetooth and Web NFC, could allow you to install an operating system on your phone, update your calculator’s firmware, fetch data from your science fair project’s sensor, and receive contact details from a friend’s phone over NFC.

Browser Wars image

Google and Apple are feuding over the future of the web, and a CNET series is looking into the details.


James Martin/CNET

The risks, however, are considerable. For example, Bluetooth, USB and NFC are used to connect hardware security keys to PCs and phones for strong two-factor authentication. So one danger is hackers using a website to steal your login credentials. Indeed, Web USB was a problem for hardware security key maker Yubico, which had to deal with a serious Web USB vulnerability in 2018.

Web USB on a PC’s browser could make it easier to program small Arduino computers that are popular among hobbyists. But if a malicious web app successfully takes control of the Arduino, a hacker could use USB’s privileged status to mount a new attack right back on the PC, something Mozilla Chief Technology Officer Eric Rescorla calls a “boomerang attack.” Web USB would be exposed to the internet devices, like voting machines and insulin pumps that were designed for a more protected environment, he added.

The new web technology could make your life easier, especially if you’re using a Chromebook powered by Google’s Chrome OS. But Google and allies, such as Intel, haven’t convinced skeptics the technology won’t also make life easier for the bad guys. And let’s face it, we already have plenty of security worries.

“Enabling a lot of features by default that are not being used by the majority of people seems like a risk not worth taking,” said James Loureiro, director of UK research for cybersecurity firm F-Secure.

That’s a notable stance for Loureiro, a programmer who’s generally impressed with browser security. As we spoke, he was fuzz testing a browser, trying to find vulnerabilities by pounding its interfaces with random data. He sees native apps as the weak security link. After writing browser attacks for the high-profile Pwn2Own hacking contest, he concluded the best browser-based attacks actually hand off control to native apps with feebler security.

Project Fugu

Google’s work is part of Project Fugu, an effort to make the web more capable so it’s not eclipsed by apps like Instagram or Apple News that run natively on your phone or PC. Google leads allies like Microsoft and Intel. Many web developers are also onboard. The idea is to let a click on the web replace the comparatively cumbersome process of finding, downloading and installing ordinary apps that run natively on operating systems like Windows, MacOS, iOS and Android. Developers could benefit because they’d only need to write a single web app rather than a handful of native apps.

Fugu is much broader than Web NFC, Web Bluetooth and Web USB. But to meet its full potential, Fugu fans will have to persuade skeptics like Apple to join in, and Apple is downright frosty about some of Google’s plans. Security and privacy are its top concerns.

Apple also has a vested interest in native apps. It has an enormous business selling iPhones and is a big fan of apps that run natively on it. Those apps often help keep people in the iPhone fold, and developers pay Apple up to 30% of what they make on app store sales.

Google’s security work

Google, the foremost champion of this more powerful web, believes security is well in hand. It also has a big market to protect; its Chrome browser accounts for 65% share of usage, dominating its rivals.

To try to secure Web USB and related features, Google blocks particular websites from accessing devices and blocks websites from using hardware devices known to be vulnerable. With Web USB, websites can only use the feature after an active user gesture that helps protect against automated attacks. To use the interfaces, users must grant permission through a dialog box. And Chrome limits those permissions, so for example, a website only can access the specific Bluetooth headset you approved.

“Our focus is on trying to convey to people something they understand about what’s going on and let them make an informed decision,” said Ben Goodger, a founding member of Google’s Chrome team who now directs its Web Platform team.

Google has a strong browser security track record. “Security is one of the four original principles of Chrome,” Goodger said. Indeed, Google pioneered the now universal browser “sandbox” that limits web software to protective confinement. And it was first to build extra browser isolation features to thwart a newer class of “Spectre”-style attacks.

Careful, now

Apple is one of the biggest obstacles to Google’s web vision, not just because it makes the widely used Safari browser but because it requires all browsers on iPhones and iPads to employ its own WebKit browser foundation. Apple bars web technology it doesn’t like from every iPhone on the planet.

And it doesn’t like Web USB, Web Bluetooth and Web NFC.

“We oppose this feature and will not implement it,” Maciej Stachowiak, a Safari leader, said in a mailing list post about Web NFC.

Interfaces like Web NFC and Web USB “pose new threats” that could undermine faith in web security, fellow Apple Safari programmer Ryosuke Niwa said in another post. “If we continue this path, at some point (or maybe we’re already there), the web will turn into any other non-web platform where ordinary users can only use well known, trusted applications or visit well known, trusted websites just like how native apps work today.”

Weighing alternatives

Browser risks must be judged against the risks of native apps that also get lots of privileges. Evaluating and managing native app risks requires ordinary people to become sophisticated system administrators, Goodger said. And while new browser interfaces to hardware pose risks, website code runs in a browser’s protective sandbox, unlike native software whose higher privileges are useful to attackers.

In Intel’s view, Web USB could help hospital staff plug a CPR training mannequin into a computer to upload its data to a website — even if they can’t install software on the computer, said Kenneth Rohde Christiansen, the chipmaker’s senior web platform architect. Or consumers could configure gamepads and webcams without having to find installation software.

“I see a lot of companies that have these devices and don’t want to rely on native apps,” he said. Apps go out of date, too. The forthcoming Windows 10X might not be able to run old-school Windows software.

Firefox and Brave also object

Privacy is another concern. Browser startup Brave uses Google’s open-source Chromium foundation, but it’s removed Web Bluetooth, doesn’t support Web NFC and plans to remove Web USB.

“The vast majority of these interfaces are not useful for the vast majority of websites, and many of them have well-documented privacy or tracking attacks,” said Peter Snyder, a senior privacy researcher at Brave. He worries there’s no way to add Web USB, Web NFC and Web Bluetooth without privacy harm or “unmanageable user permission fatigue” triggered by ceaseless dialog website boxes.

Another objection came from Firefox programmer Adam Roach, who believes there’s no simple way to let people assess the risks of the interfaces when websites seek permission through a browser dialog box.

Mozilla would love to offer technology like Web USB, but not if it undermines an enormous advantage the web has over native applications today.

Security is “the web’s superpower,” Rescorla said. “It’s the application platform you can run anything on. We don’t want to squander that.”

Originally published July 29, 5 a.m. PT.
Update, 9:42 a.m. PT:
Clarifies that Brave plans to remove Web USB support though it hasn’t yet done so.

Post navigation

❮ Previous Post: I nuked my kid’s Animal Crossing island
Next Post: Sony announces Alpha 7S III hybrid camera ❯

You may also like

Web technologies
Halloween weekend deals: Price cuts on Chromebooks, a top ice cream maker, Ryobi power tools and more
11.07.2022
Web technologies
Where to preorder the new iPad and iPad Mini, including early discounts
19.07.2022
Web technologies
Mac Studio Review: Testing Apple's New Desktop for Creators The Mac Studio and Studio Display are a powerful, pricey pair.
22.06.2022
Web technologies
Hot corners on MacOS: What they are, why you need them and how to use them
30.06.2022

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Fresh Records

  • Samsung Galaxy S23 vs Galaxy S23 Ultra: expectations
  • Oppo Find N2 vs Samsung Galaxy Z Fold 4: new foldable phone wants to dethrone the king
  • Galaxy S23 Plus vs Galaxy S23: What to expect
  • Samsung Galaxy S23 Plus vs Galaxy S23 Ultra: all differences to expect
  • Samsung Galaxy S23 Ultra vs OnePlus 11: what to expect

Fresh Comments

No comments to show.

Archives

  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022

Headings

  • Mobile technologies
  • Web technologies

Copyright © 2023 Mobile and web technologies.

Theme: Oceanly News by ScriptsTown

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT