#qi-hardware IRC log for Wednesday, 2015-09-23

whitequarkwpwrak: (origin of browser plugin) browser plugins generally can request access to everything01:48
whitequarkmany do, like adblocker01:48
wpwrakwhitequark: hmm yes, plugins could do anything. but would it be easy for them to use such a WebUSB mechanism ? i.e., do interfaces exists for a plugin to a) run JS while b) passing or bypassing the origin test ?12:57
whitequarkthat has nothing to do with webusb13:00
whitequarkI mean... a plugin can request webusb, a webpage cannot13:00
whitequark"run JS while"13:01
whitequarka plugin IS in javascript, in every major browser13:01
whitequarkand webusb is a javascript binding to libusb essentially13:02
whitequarkI don't mean plugins in the sense of arbitrary binary code, that's practically impossible to run in modern browsers and for a good reason13:03
wpwrak(plugin is js) oh, i thought they were native code13:09
wpwrak<-- web tech noob here :)13:09
Action: whitequark looks back13:11
whitequarkseems I first called it an "browser extension" which is more correct / what people usually say13:11
whitequarkand then DocScrutinizer05 called it a plugin13:11
wpwrakso it wouldn't be possible to make a plugin that intercepts login dialogs and then uses HIDAPI (to avoid the need for a dedicated driver on platforms where that's a problem) to talk to anelok ?13:11
whitequarkyou're right, the proper name for the thing in JS is an "extension" and a "plugin" is something like flash that's in native code13:12
whitequarkand you don't want to ship native code13:12
wpwrak(terminology) perfect ;-)13:12
whitequarkanyway, from what i know about webusb is it's libusb13:12
whitequarkso you don't even need HID. but I don't know what chrome does on windows about it13:13
wpwraklooks like libusb + bureaucracy13:13
wpwrakthe procedure to be allowed to access webusb13:13
wpwraksome more usb descriptors, etc.13:14
DocScrutinizer05sorry, no clue at all here. I use names based on what sounds right to me in this case13:14
whitequarkah, yeah13:14
whitequarkspeaking of login dialogs, you cannot readily determine what is a "login dialog"13:15
DocScrutinizer05and I never before heard WebUSB13:15
whitequarkI would instead add a context menu option "fill in username" "fill in password" since you know the URL13:15
wpwrakplugin + hidapi (or whatever) would still be the way to do until webusb is widely available, right ?13:15
whitequarkshipping plugins is a security risk13:15
DocScrutinizer05wait! I have a weird idea since 3.5s13:16
wpwrak(determine) how does the browser do it ? there must be some hints / heuristics13:16
DocScrutinizer05print page to USB printer...13:16
whitequarkeveryone who is not completely incompetent about infosec is going to dissuade anyone they know from ever installing any plugins13:16
DocScrutinizer05ctrl-P, select printer 'anelok'13:16
wpwrakso you're saying there is no way without webusb ?13:16
whitequarknative app13:16
whitequark(that cannot be poked by a malicious webpage and used to get access to the user's machine)13:17
wpwrakhow would a native application intercept login dialogs ?13:17
DocScrutinizer05should work on every brwoser and OS, no?13:17
whitequarkwhy are you talking about "login dialogs"? there are no dialogs13:17
whitequarkand it wouldn't13:17
DocScrutinizer05no plugins or anything needed13:18
whitequarkit would just make filling forms easier13:18
wpwrakwhitequark: i mean pages that contain a login with a password field. however it's implemented.13:18
whitequarkwpwrak: it's not implemented in any standardized way13:18
wpwrakDocScrutinizer05: universality would be nice. but may not be within easy reach at the moment.13:18
whitequarkDocScrutinizer05: you got some postscript. what now?13:19
whitequarkare you going to run OCR on anelok? doubt it13:19
DocScrutinizer05grep for key strings13:19
whitequarkthere are no strings13:19
DocScrutinizer05(postscript) depends on printer13:19
whitequarkdepends on the browser13:19
whitequarkand no browsers send raw text 13:19
DocScrutinizer05ok nevermind13:20
wpwrakwhitequark: i guess one could use a) the heuristics browsers use for this, and b) maybe add an explicit hint that web sites can use. worst-case, call it anelok-* ;-)13:20
whitequarkthey just take the internal vector model of the page content and send it there13:20
DocScrutinizer05actually it's irrelevant what it sends as long as it has unique fingerprint13:20
whitequarkwpwrak: yes, heuristics is what everything uses13:20
whitequarkDocScrutinizer05: it sends vector graphics that has literally none of the information you want13:20
wpwrakif it's good enough for google, it shall be good enough for me ;-) so, how to intercept at the level of those heuristics ?13:21
whitequarkno text, no info on what the text field is, no explanation of how to navigate into the field13:21
whitequarkand there's still the keyboard layout issue13:21
whitequarkwpwrak: you can't13:21
whitequarkreimplement them yourself13:21
whitequarkyou get to inject arbitrary JS into the page + a few privileged APIs13:22
whitequarkthat's it13:22
wpwrakDocScrutinizer05: (fancy and impractical ways to get at page content) pretend to be USB storage and save the html page on that device (-:C13:22
wpwrakwhitequark: reimplementing heuristics sound okay. so the apis / mechanisms for doing all this exist. good. that's what i wasn't sure about.13:23
wpwraknow ... how to go from there to talking to anelok ? i would equate "plugin" to "native app" for most purposes, including access to libusb / hidapi / etc. the big exception would be that one has an intrinsic link into the browser while i don't know how the other would talk to our login-interceptor.js13:25
whitequarkyou aren't shipping a browser plugin13:25
whitequarkyou're shipping an extension. scrap a page, look for username/password fields in forms, show button in the browser UI. when pressed, send URL to anelok, get back password, fill in ?13:26
wpwrakare they really that reviled ? or is that just your personal opinion ? :)13:26
whitequarkthey are the single worst offender in web security by a very large margin13:26
wpwrakusing what mechanism do i send the URL to anelok ? i.e., how do i get data from the extension (login-interceptor.js) to the usb-attached anelok device ?13:27
wpwrakand if webusb isn't available ?13:27
whitequarkthen there is no convenient option13:27
wpwrakso, plugin after all, it seems. and webusb as plan A for those who have it.13:28
whitequarkthat's a moronic strategy. exposing users to a security risk in a security-related device13:29
whitequarkthough not uncommon in the industry13:29
whitequarkon second thought, it doesn't matter, because you can't do that13:30
wpwrakmost of the issues of plugins seem to come from them just doing bad things. but a native application would have similar issues. you seem to have said that it was easy for a bad web page to also manipulate the code of a plugin ?13:30
whitequarkon windows, plugins are run as "low integrity processes", and on linux they run in a seccomp-bpf sandbox13:30
whitequarkdrive-by malvertising is a very common problem13:31
whitequarkyou use an ad network to distribute a link to a malware exploit kit. exploit loads plugin, feeds it bad input, escapes from sandbox13:31
wpwrakaccording to this, plugins are still tolerated in chromium: https://www.chromium.org/developers/design-documents/plugin-architecture13:32
wpwraklet's see what mozilla has to say about them ...13:33
DocScrutinizer05wpwrak: (save page) even better13:34
wpwrakplenty of cheerful development advices for plugins: https://developer.mozilla.org/en-US/Add-ons/Plugins13:34
whitequarknote that NPAPI (the un-sandboxed API for plugins) was completely removed from Chrome and it's click-to-play in Firefox13:42
whitequark"September 201513:44
whitequarkIn September 2015 (Chrome 45) we will remove the override and NPAPI support will be permanently removed from Chrome. Installed extensions that require NPAPI plugins will no longer be able to load those plugins."13:44
wpwrakah, very recent. https://support.google.com/chrome/answer/6213033?hl=en13:45
wpwrakbut there's a new api, PPAPI :)13:45
whitequarkPPAPI is sandboxed.13:45
whitequarkyou cannot even call open() from PPAPI, much less access USB13:45
whitequarkthe only thing you can do is communicate with the browser via pipes and put pixels in shared memory13:46
whitequarkwhich was the very point of creating PPAPI13:46
wpwrakhmm, there seems t obe this: https://developer.chrome.com/apps/usb13:47
wpwrakthis is what led me to it: http://stackoverflow.com/questions/19174943/usb-device-access-using-google-native-client-nacl13:48
whitequarkthat's webusb.13:48
wpwrakno sure what the "NaCl" is they're talking about. i know NaCl as the name of a crypto library, but that seems to be something different13:48
whitequarkNaCl is a Chrome-specific way of distributing native code and safely running it in a sandbox13:49
whitequarkunless you have large amounts of C you don't want to rewrite, it is of no use to you13:49
whitequarkin this case, it doesn't give you any capabilities, you still have to perform the communication using some JS with WebUSB13:50
whitequarksince NaCl sits in the same sandbox as PPAPI plugins13:50
wpwrak(chrome.usb == webusb) sure about that ? it looks much simpler13:50
wpwrakit would seem that NaCl has a way to get out of the sandbox, using that chrome.usb API13:51
whitequarkum, no, NaCl doesn't have access to that API. it can only talk to JS13:52
whitequarkJS however has access to WebUSB13:52
wpwrakyes, but webusb seems to be something brand-new while chrome.usb seems to have been around for a while13:52
wpwrakalso, it seems that chrome.usb just requires you to allow USB access while webusb has a lot more paperwork13:53
wpwrakmore: https://developer.chrome.com/apps/app_usb13:54
rohi am not sure why anybody sane should allow a browser hw access that way13:55
wpwrakthat looks more similar to webusb though. but still without the origins and stuff13:55
whitequarkwpwrak: well, yes, you don't care about origins when you're in an extension13:55
wpwrakroh: the high-level objective is to let your browser look up accounts on anelok when you're about to perform a login. how would you implement it then, without the things we discussed ?13:56
rohwpwrak: then you need an api and some driver layer inbetween.13:56
wpwrakwhitequark: ah, that sounds encouraging :)13:56
whitequarkwpwrak: on second look I think you're right, chrome.usb is not webusb and I was incorrectly referring to it as such13:56
whitequarkI assumed chrome.usb was just webusb exposed to plugins13:56
roha browser should never have any hw access.. just run it as root if you allow it to access usb.13:56
rohi mean.. it could write to your harddisk then anyhow. so why bother sandboxing anyhing13:57
whitequarkwpwrak: that's actually good news for you, I guess13:57
rohi understand what the idea is. and no. one cannot do that properly and secured in a broswer-plugin only.13:57
wpwrakthis looks encouraging, too: https://github.com/ubinity/webhidapi-firebreath13:58
rohwpwrak: check out how the crypto/account stuff works on browsers and connect that to anelok. so anelok is a crypto-provider for the browser13:58
whitequarkroh: no such API to do that13:59
whitequark(which is rather unfortunate, yes)14:00
rohwhitequark: huh? how does smartcard stuff work then?14:00
whitequarkroh: via a plugin :(14:00
rohwhitequark: an it does. ive seen people use it.14:00
wpwrakplugins for the win ! :)14:00
rohno. no 'plugins' in the classic way. it was something native14:00
whitequarkand you're lucky if the plugin is not activex14:00
rohwhitequark: it worked for every password field and also provided ssl keys14:01
wpwrakbut look at the bright side: if anelok needs to use a particularly dirty mechanism to get its stuff done, that may provide motivation for getting a proper interface from the browser14:01
rohi know who to ask. will do that14:01
rohanyhow.. such a thing is not easy to configure and needs nonstandard software. would not be plugnplay at all14:02
whitequarkI've specifically checked just now and both chrome and firefox use a plugin14:03
rohwhitequark: i think it was called 'certificate provider'14:03
whitequarkor rather, various plugins from various smartcard vendors14:03
rohand its really ugly14:03
whitequarkok I see, yes, they do support this via NSS (on linux) and some windows mechanism14:06
whitequarkso that would provide you PKCS#11 capability14:07
whitequarkbut filling password field means there was /also/ a browser plugin14:07
whitequarke.g. see this issue https://code.google.com/p/chromium/issues/detail?id=4207314:07
rohso one needs both?14:08
whitequarkI doubt many people using anelok will want PKCS#11 anyhow14:08
wpwraktask cards updated :) https://gitlab.com/anelok/doc/wikis/Task_hidapi https://gitlab.com/anelok/doc/wikis/Task_webusb14:18
wpwraki love that git-based wiki. takes the pain out of managing wiki content14:18
whitequarkyou also need to figure out what to do on mobile14:21
wpwrakyes, there it's BTLE. apparently, for HIDAPI, there's no / not much of a difference between USB HID and BT HID14:25
whitequarkyes, but I don't know what's the status on accessing BTLE from mobile browsers14:26
whitequarknote that *nothing* on mobile has browser plugins14:26
wpwrakapparently, it may not be impossible: http://stackoverflow.com/questions/3960050/how-to-develop-plugins-for-the-native-android-browser14:29
whitequarkthere's no Android browser anymore on the stock firmware, it's just Chrome14:30
whitequarksince... 4.2, I think?14:30
wpwrakyeah, it's from 201014:30
wpwrakthis sounds fairly damning: https://support.google.com/chrome/answer/2710225?hl=en14:31
whitequarkthe main reason is that some people will deploy shitty plugins that eat tons of CPU and then the people who have to use that complain that Android gets no battery life14:32
wpwrakhere (page loads a painful amount of junk), they do it by installing a different browser :) http://www.pcadvisor.co.uk/how-to/google-android/install-flash-on-android-kitkat-smartphone-tablet-lollipop-3417930/14:33
whitequarkon my galaxy s ii i've installed the flash plugin while that was still possible. actually opening a flash thing caused my phone to become so hot I could not hold it in my hands14:33
pcercueiwhy would any sane person do that? :o14:34
whitequarksome video player required it, I think14:35
whitequarkbut I uninstalled it pretty much immediately after, it was completely unusable14:35
wpwrakhmm, apparently they even shun extensions: http://www.omgchrome.com/chrome-android-extensions-not-planned-ama/14:36
wpwrakwhitequark: that adobe experience was probably a warning: "you're about to make a pact with the devil. here is a quick demo of what to expect. sure to proceed anyway ?"14:37
whitequarkthe likely reason for that is when chrome adds extension... the first extension someone implements is an adblocker14:38
whitequarkyou may want to look into how lastpass on android works14:39
wpwrakhmm. there is a hint: https://helpdesk.lastpass.com/lastpass-mobile/lastpass-for-android/14:40
wpwrakapparently 4.3 did something to make it easier14:41
whitequarkah, 4.3 added exactly an API for autofilling credentials14:42
whitequarkhm, looking closer, it appears to be abusing accessibility APIs14:44
whitequarkfor screen readers and such14:44
whitequarkwell, close enough14:44
whitequarkand LastPass for iOS works by embedding a browser in itself, which it can control, and which shares the cookie storage with the system browser14:45
whitequarkthat's actually better than I expected14:46
whitequarkyou'll still have to shell out $100 yearly and go through apple's ridiculous appstore review process14:46
wpwrak(accessibility) do you have a link ?14:51
whitequarkyour link exactly14:52
wpwrakoh :)14:52
--- Thu Sep 24 201500:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!