The UI also very temptingly looks like all the website can do is use the device for its intended function, because that's how normal users think and how it should work. But most devices were built with an assumption of trust between the driver and hardware, and now suddenly there's a security boundary there. With this there's an untrusted agent interacting with a device that may have vulnerabilities, which can itself then also interact with vulnerabilities the host may have towards USB devices.

It's not that this can't be done, it's that this is changing the rules that existing security is built on.

I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites. Both add extra checkpoints where some security can be added back in, or rather perform this "weakening" of the previous security boundary in a more controlled manner.

What's the difference between a website accessing the USB device, and downloading an app that accesses it? (Apart from the website being more convenient and cross platform.)

To put it another way, why is it ok to trust Arduino.exe but not Arduino.com?

- People have been trained to understand downloading and executing an "Arduino.exe" is potentially dangerous and that they need to check if they trust the source

- most OSes expect a digital signature on "Arduino.exe" these days

- there's a whole ecosystem of protection and antivirus software that attempts to detect malicious use

- depending on your OS, an "Arduino.exe" can't even access USB devices without an additional signed driver and/or further administrative privileges

- a code injection attack against "Arduino.exe" is much harder; unlike "Arduino.com" which can load entirely different on each visit, you need to exploit an (easier to protect) auto-update mechanism. (Depending on the use case, an application can also be just fine without an update mechanism.)

- "Arduino.exe" isn't built on an ecosystem that routinely loads 3rd party code from outside sources

And to repeat, I don't think WebUSB in general is a bad idea. I'm arguing the security model should be more restrictive; that's why I suggested:

> I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites.

The browser add-on ecosystem is IMHO a better framework to build something like WebUSB in, but to be fair I haven't spent thought on a more in-depth evaluation of this. Also note that there's good precedence for whitelist systems, e.g. in WinUSB the USB device itself can already do some signalling. (But that doesn't work for older USB devices and has its own can of worms…)

> depending on your OS, an "Arduino.exe" can't even access USB devices without an additional signed driver and/or further administrative privileges

Which OS are you thinking of? WebUSB doesn't need any additional drivers, so if the browser can do it I assume any app can do it.

The extra friction is a feature. People just click through popups that stop them from doing things in existing apps and on the websites. I'm sure I've accidentally allowed something before just because an element was underneath before the popup.

On the other hand, you don't accidentally install an app.

> What's the difference between a website accessing the USB device, and downloading an app that accesses it?

Arguably the browser is far more secure. A hypothetical "Arduino.exe" can access anything, not actually select the USB device the user selected due to a bug.

> Arguably the browser is far more secure.

The browser is far more secure because everything it allows access to is tightly controlled, in most cases by scoping it to the website. Even if you grant persistent camera/microphone access, it remains scoped temporally: you need to have the website opened up.

An USB device fundamentally does not support this security model. Code that can interact with an USB device can put persistent state on it without any checks enforced upon it. That USB device may later interact with other (bug-laden) code on the same system, or even worse, be moved to a different host entirely, with a different OS stack there, and trigger interactions there.

Yes, the browser is far more secure — because it has very few (anti-)features like this. I'm incredibly happy that WebUSB is not particularly commonplace to use. Having secure browsers is more important to me than the convenience of USB access from websites.

The problem isn't the UI, the problem is that like all software, browsers have bugs, and a CVE in this part of the code base could have catastrophic consequences. Chromium and its derivatives are highly reviewed code bases, both by good and bad actors, and there's still a considerable list of CVEs every year.

> The problem isn't the UI, the problem is that like all software, browsers have bugs, and a CVE in this part of the code base could have catastrophic consequences. Chromium and its derivatives are highly reviewed code bases, both by good and bad actors, and there's still a considerable list of CVEs every year.

That is an argument against any feature whatsoever beyond maybe a JS-free links/lynx browser. The worse browser bug is a sandbox escape that can obtain root privileges. This has been done by exploiting many different JS features. USB communication is not more of a hazard than webgl or setTimeout().

> USB communication is not more of a hazard than webgl or setTimeout().

It is though. setTimeout is very limited. WebGL does lots custom allocations which are ripe for exploits (like the native arrays in JS). USB has all that + the scope of every device plugged in which may come with its own issues.