I Can't Believe It's Not WebUSB: Hacking Around the Lack of WebUSB Support in Firefox
In an era where computing platforms seem to be designed with mismatched user expectations, a recent proof-of-concept hack has shed light on the limitations of our current infrastructure. As a maker of widgets, I understand the importance of creating seamless experiences for users. However, the lack of support for WebUSB in Firefox raises questions about the usability and reliability of web-based applications.
WebUSB is often touted as a solution to enable cross-platform development, but its implementation has sparked controversy. The issue lies not only with the technology itself but also with the security measures that come with it. A "security key" is supposed to be a secure device that performs one task and one task only, yet it can run arbitrary code, look like anything, and do so without any security implications.
The lack of standardization in computing platforms has led to the development of workarounds like the USB Rubber Ducky and the O.MG Cable. These devices have highlighted the limitations of our current ecosystem, where there is no clear way for humans or computers to determine whether a device is working against the user's interests or simply as a result of larger forces.
The growth and dominance of the Web has made it easier for developers to deliver software to run on someone else's computer. However, this ease comes at a cost. We have lost something important along the way – the ability to understand what is happening with our computing devices.
As we move forward, it is essential that we focus on creating healthy platforms and ecosystems that cater to both developers and users. Platforms need to be designed with security, usability, and reliability in mind. This requires intentional curation and a willingness to address the gaps in our current infrastructure.
The Hack: Smuggling Data Through ECDSA Signatures
A recent proof-of-concept hack has shown that it is possible to smuggle arbitrary data through ECDSA signatures, which are used to verify the authenticity of digital messages. The hack involves generating dummy ASN.1 structures and packing the actual data inside them.
Chrome appears to check whether the numbers in the signature are within a specific range, but Firefox does not perform this check. By wasting the first byte of each number with the value 0x7f, the hack can generate "valid-enough" numbers that are always positive and less than n, allowing them to pass through the software stack without being detected.
This capability is widely supported in modern browsers without requiring any extraneous setup or configuration. However, it should be noted that this is not a way to access arbitrary USB devices. It only works with devices that are intentionally breaking the rules and can do so because of questionable security models around USB devices.
In conclusion, while WebUSB may seem like an attractive solution for cross-platform development, its implementation raises important questions about usability, reliability, and security. As we move forward, it is essential that we prioritize creating healthy platforms and ecosystems that cater to both developers and users.