- People have been trained to understand downloading and executing an "Arduino.exe" is potentially dangerous and that they need to check if they trust the source
- most OSes expect a digital signature on "Arduino.exe" these days
- there's a whole ecosystem of protection and antivirus software that attempts to detect malicious use
- depending on your OS, an "Arduino.exe" can't even access USB devices without an additional signed driver and/or further administrative privileges
- a code injection attack against "Arduino.exe" is much harder; unlike "Arduino.com" which can load entirely different on each visit, you need to exploit an (easier to protect) auto-update mechanism. (Depending on the use case, an application can also be just fine without an update mechanism.)
- "Arduino.exe" isn't built on an ecosystem that routinely loads 3rd party code from outside sources
And to repeat, I don't think WebUSB in general is a bad idea. I'm arguing the security model should be more restrictive; that's why I suggested:
> I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites.
The browser add-on ecosystem is IMHO a better framework to build something like WebUSB in, but to be fair I haven't spent thought on a more in-depth evaluation of this. Also note that there's good precedence for whitelist systems, e.g. in WinUSB the USB device itself can already do some signalling. (But that doesn't work for older USB devices and has its own can of worms…)
- most OSes expect a digital signature on "Arduino.exe" these days
- there's a whole ecosystem of protection and antivirus software that attempts to detect malicious use
- depending on your OS, an "Arduino.exe" can't even access USB devices without an additional signed driver and/or further administrative privileges
- a code injection attack against "Arduino.exe" is much harder; unlike "Arduino.com" which can load entirely different on each visit, you need to exploit an (easier to protect) auto-update mechanism. (Depending on the use case, an application can also be just fine without an update mechanism.)
- "Arduino.exe" isn't built on an ecosystem that routinely loads 3rd party code from outside sources
And to repeat, I don't think WebUSB in general is a bad idea. I'm arguing the security model should be more restrictive; that's why I suggested:
> I would try to make it work with whitelists and/or restricting the functionality to browser add-ons rather than plain websites.
The browser add-on ecosystem is IMHO a better framework to build something like WebUSB in, but to be fair I haven't spent thought on a more in-depth evaluation of this. Also note that there's good precedence for whitelist systems, e.g. in WinUSB the USB device itself can already do some signalling. (But that doesn't work for older USB devices and has its own can of worms…)