← Back to context

Comment by saagarjha

5 years ago

Because then the web process needs access to the USB stack in some way, which is a lot more complicated than simply providing credit card information…

That's that's an argument for security, less so for privacy, in the sense that the surface area may yield points for exploits.

But the payment stack is also very complicated. It touches everything from the secure enclave up to the Merchant over the network.

And if accessing the USB stack is bad, then doing it from a native app is too bad. The Web execution environment is more isolated and abstracted than the native app SDK, see https://blog.zimperium.com/dr-jekyll-and-mr-hide-how-covert-... for example of live malware getting past the app review process and accessing geo location and other things to fingerprint.

My computer has never, in at least the last 15 years, been infested by usage of Web APIs. Since the time of Firefox and Chrome taking over from IE4-IE6, I have been free of exploits. It's fair to say that the web is used by billions of people, and for the most part, large scale carnage using browser vectors has been limited.

I don't think your conclusions are based on actual security researcher threat modeling, but more about an implicit bias against Web apps and towards native.

  • > That's that's an argument for security, less so for privacy, in the sense that the surface area may yield points for exploits.

    Fair, but I hope you agree that both are something we should care about. The privacy argument is generally the fingerprinting one.

    > But the payment stack is also very complicated. It touches everything from the secure enclave up to the Merchant over the network.

    Yes, but not at the actual level that the we process would have to deal with. There’s a huge difference between “can I have a credit card number” and “can I DMA” from the web process. (I would assume WebUSB does something saner than that, but it would still be copying a lot of bytes around security boundaries with parsing going on.)

    > My computer has never, in at least the last 15 years, been infested by usage of Web APIs. Since the time of Firefox and Chrome taking over from IE4-IE6, I have been free of exploits. It's fair to say that the web is used by billions of people, and for the most part, large scale carnage using browser vectors has been limited.

    Well yes, but of course such attacks are typically used against a dozen journalists in a repressive country, and not you, a Google engineer in what I would assume is a moderately comfortable situation in comparison ;)

    > I don't think your conclusions are based on actual security researcher threat modeling, but more about an implicit bias against Web apps and towards native.

    Bias towards native noted, bias towards security research also a thing I think I may have ;)

  • Go to a senior living facility and check out the permissions on each user's Chrome install. Web API abuse is rampant, the notifications API will be full of spammers. Ten malicious Chrome extensions are installed that are for "maps and directions" but hijack your home page and search default.

    Chrome team has done a terrible job at understanding how less technical users interact with their browser and how to keep them secure.

    My senior citizen support checklist is editing their Chrome shortcut to always launch without extensions, and block all new requests for notifications, location, camera, microphone, etc. (Switching browsers is better, but generally seniors prefer their computers don't change much, so I'll usually carry forward the browser they already have.)