back to article Chromium devs want the browser to talk to devices, computers directly via TCP, UDP. Obviously, nothing can go wrong

Google's Chromium team has proposed a way to allow web apps to establish direct TCP and UDP network connections, a powerful capability that could complicate web security. The Raw Sockets API, which may end up being renamed the Direct Sockets API, represents an attempt to give browser apps networking capabilities that aren't …

Page:

  1. Shadow Systems

    "Obviously, nothing can't go wrong."

    If you need me, I'll be hiding aboard this Vogon ship leaving the ZedZedPluralZedAlpha quadrant...

    1. BenM 29

      Re: "Obviously, nothing can't go wrong."

      >>ZedZedPluralZedAlpha

      I would have upvoted apart from your deliberate mistake.. ZedZedNinePluralZedAlpha is the sector I believe you were looking for. I can't believe the 42+4 upvoters didn't spot that and yes, my towel is currently hanging on the towel rail in the bathroom...

  2. Anonymous Coward
    Anonymous Coward

    I choose the clients...

    I choose the clients that can connect to specific protocols. I'm not going to run a client where it allows anyone else to decide on my behalf.

    1. John Brown (no body) Silver badge

      Re: I choose the clients...

      ...at least not until said client is the only option because all the browser makers have followed suit. Although hopefully some decent blocking add-ons might available by then.

      1. DS999 Silver badge

        Re: I choose the clients...

        Apple has refused to implement some of Google's ridiculous crap like web interfaces for Bluetooth and GPS, so I hope they will refuse to implement this (or at least leave it off by default) But Safari is really only a solution for Mac and iOS users, the PC/Android crowd needs an alternative to Google's embrace/extend of the web.

        Firefox really needs to stand up to this and start positioning itself as the more secure and more privacy protecting alternative to Chrome. The ship has sailed as far as it competing head to head as "best browser" now that Microsoft has sold out and PC users are getting it from both directions. So stop following Google's stupid attempts to reimplement ActiveX in all its glory and start saying no to stupid web extensions - and alert the user somehow when a web page is trying to use these facilities so they know Firefox is preventing their use.

    2. CrazyOldCatMan

      Re: I choose the clients...

      I believe the phrase is:

      No. Hell, no.

  3. 759b954e-617b-408b-a2b1-f5a42c3688d4
    Stop

    Yeah. Nope.

    See title.

  4. Anonymous Coward
    Anonymous Coward

    It will certainly be shoved down our throats

    Because there's money to be made here.

    1. alain williams Silver badge

      Re: It will certainly be shoved down our throats

      Lots of money by those purveyors of malicious javascript. I don't have as much of value to be stolen as Experian but NoScript is staying activated in my browser.

    2. bombastic bob Silver badge
      Trollface

      Re: It will certainly be shoved down our throats

      I think a different orifice will be involved... (ouch, even the though of it makes it hard to sit)

  5. brotherelf

    "Like WebUSB, WebMIDI and WebBluetooth, …"

    at that point in the sentence, you should have become vvvverryyyy suspicious. And I say that even though I would probably benefit from the new API.¹

    Also, what's this "[the API] will come with a higher barrier to use [than asking nicely]"? Are we seeing another step to Appstorification of the free and equal interwebs? "Yes, we have that API, but you can only use it from vetted code that you download through our AMP AppstoreMoneyProgram. This ensures your libraries and page will load quickly from our CDN, wherever in the world your users are. We even include 5000² free³ downloads every month⁴."

    ¹ because as soon as lethargy leaves me, I will write an homage to BarcodeBattler that uses TLS certificate data, and you can't introspect that from Javascript.

    ² subject to change ³ 49.99 setup fee; developer membership required ⁴ offer valid until September 9852, 1993

    1. Ben Tasker Silver badge

      Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

      > Like WebUSB, WebMIDI and WebBluetooth, …

      Yep, that bit screamed "OH FUCK" at me too. 3 things that I've gone out of my way to try and nobble in the browser to make sure that sites can't use them in the first place.

      There have been handful of times I've had a need/desire to be able to do non-HTTP connections in javascript (usually, needing to do some kind of DNS resolution and capture the full response rather than the actual result).

      I'm not sure it's worth it though - the "mitigations" they've put in place make the workflow inconvenient, so wouldn't fit what I need (it'd need explaining to distant end-users), but without the mitigations the whole spec is a *massive* ball of fire.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

        Yep. If I wanted a browser-OS, I'd use ChromeOS. You can't simply shoehorn a browser into doing everything!

        1. IGotOut Silver badge

          Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

          Tell Google that

        2. John Brown (no body) Silver badge

          Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

          "Yep. If I wanted a browser-OS, I'd use ChromeOS. You can't simply shoehorn a browser into doing everything!"

          It does look as if the endgame here for The Goog is an appliance with the absolute bare minimum of OS under the browser, just enough to run it, and everything else is a webapp.

          1. doublelayer Silver badge

            Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

            It hasn't worked so far--their Chromebooks keep gaining new features for some level of Android or Linux compatibility because people have realized that computer that runs most things beats computer that only runs a browser. Why do they want this so much anyway--they could just make Android laptops (just add more keyboard support) and get users to hand over all their data that way. It seems to me that if they want to capture all our data, they don't have to do so much work to try to force a limited OS on us when they've already got one that people use.

        3. Strahd Ivarius Bronze badge

          Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

          The ultimate goal is to be able to run Fortnite in Google Chrome.

          Oh, wait...

    2. hnwombat
      Pint

      Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

      I would love to have given you +10 upvotes for using the correct calendar system.... instead, here's a virtual beer on me.

      1. katrinab Silver badge
        Flame

        Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

        Correct calendar systems are:

        2020-August-24, if you use big endian - this is my preferred format,

        or 24 August 2020, if you use a sort of mixed/little endian,

        August 24, 2020 makes no sense at all.

    3. bombastic bob Silver badge
      Black Helicopters

      Re: "Like WebUSB, WebMIDI and WebBluetooth, …"

      waiting for "WEB pacemaker" and "WEB medicinal pump". And don't forget "WEB autopilot for your self-driving car"

      yeah no security issues THERE...

      (there was this one Dr. Who episode where the cars were trying to kill people...)

  6. -tim
    Facepalm

    Is "No" ok with you?

    I don't want to firewall every host on the network in their own little bubble but it looks like that time is here.

    I like the idea of the dialog box. Can they added that to "This web page wants to load external Javascript. Please enter all the remote sites that it is allowed to talk to". I would be ok with that. Add the same thing for cookies.

    1. ThatOne Silver badge
      Devil

      Re: Is "No" ok with you?

      > I like the idea of the dialog box

      Which will be something along the lines of "Click here to access our supercool content!!!", and will be subsequently implicitly valid for every other connection, site and app. The "refuse connection" link will be hidden in 1-pixel height letters of background color, and will prompt you "Click here if you're really that big a loser (and want to die alone)" before grudgingly accepting your choice for a day or two.

      Sorry, in plain honest English that dialog box can only say "Click here if you blindly trust the internet".

    2. Corporate Scum

      Re: Is "No" ok with you?

      Though in this case I think the dialog will both fail because too many users will just enable it anyway, while also failing because people who were supposed to turn it on were like "what's an IP address?"

      and as those above commented, the line about regular application software being the real attack surface is utter cow flop. A raw socket coming from an arbitrary web page and that is indistinguishable from a standard web request to the OS and firewall software is obviously a huge risk. Crap software with network access still has to be installed on the system, which we have a pretty good tools and methods to work with.

      Chrome should stop trying to build a universal rootkit interface and work on keeping one ad on one tab from using 90% of your system resources and draining your battery. If they can lay that problem to rest , they may have a shred of credibility to add even more low level browser access.

  7. amanfromMars 1 Silver badge

    The Browser is the Operating System. Be You a Vital Cog for ITs AI or just Chaff

    It essentially allows the browser to talk directly to devices and other computers via the network.

    So practically the same as happens here on El Reg with virtual machinery talking to humans and advising them of future surreal developments, which they may or may not be equipped to understand and assist with? That's nothing new and novel.

    1. Steve K Silver badge

      Re: The Browser is the Operating System. Be You a Vital Cog for ITs AI or just Chaff

      virtual machinery talking to humans

      Which one are you...?;-)

    2. Yes Me Silver badge
      Thumb Down

      Re: The Browser is the Operating System. Be You a Vital Cog for ITs AI or just Chaff

      As we know very well, all problems in computer science can be solved by an extra level of indirection. Which means in this case that all the security crap you know and love (firewall, access control lists, certificates, crypto algorithms, switching from TCP to TLS1.3, from UDP to DTLS, need I go on?) -- all of it -- will have to be duplicated in the browser.

      So isn't this just a way of helping along the plan for Chrome to take over the universe?

  8. revenant

    I have a bad feeling about this

    It essentially allows the browser to talk directly to devices and other computers via the network.

    As if we don't already have enough web-based dodginess to worry about.

    The Twitter discussion between King and Schuh is interesting ; King has clear concerns borne out of experience and, while Schuh attempts to allay those concerns, it is apparent that his own concerns haven't been fully taken on board in the proposals. hence the suggestion that King should get onto Github with hers.

    My overall impression is that this is a potentially useful development for those who know what they're doing but a very dangerous one for the average user.

    Perhaps the whole api should be delivered disabled by default, with a high barrier to enabling it (a hidden config setting would probably do it). Then those that can handle ti safely can have it while the rest are blissfully unaware of its existence.

    1. Ben Tasker Silver badge

      Re: I have a bad feeling about this

      What's really scary, is if you look at the issue list, amongst the few open issues - there's already requests on there to "break" standing security practices:

      - https://github.com/WICG/raw-sockets/issues/19 - it'd be useful if this bypassed/ignored CORs

      - https://github.com/WICG/raw-sockets/issues/14 - suggesting the spec will allow connection to port 25 to send mail

      It gives some idea of what (some) people are already hoping to use this for - the first is a guy who want's to scrape content from sites (reddit etc) that are using CORs to try and prevent exactly that.

      <grumble>Nothing good can come of this insanity</grumble>

      1. ThatOne Silver badge
        Devil

        Re: I have a bad feeling about this

        .. and the second is clearly somebody who wants to easily sent his bulk emails from clueless users' computers...

        I've been hearing for ages that "email is dead", not to mention there are heaps of email apps out there, why on earth would anybody need to send mail through a browser app? There might definitely be some isolated edge case where this might be vaguely desirable, but it definitely doesn't justify the obvious eagerness to create yet another spam vector.

        This is pure, unadulterated feature creep, and I'm not surprised that it comes from a company who's biggest concern is marketing its users. All I've seen is aimed specifically at breaking barriers users might put up to reduce spying telemetry. I've yet to hear about a feature I (simple standard user) would need (or even just like).

        1. Doctor Syntax Silver badge

          Re: I have a bad feeling about this

          "This is pure, unadulterated feature creep"

          Creep? Headlong gallop. To be followed, if it happens, by belated closing of stable doors.

      2. Doctor Syntax Silver badge

        Re: I have a bad feeling about this

        "- https://github.com/WICG/raw-sockets/issues/14 - suggesting the spec will allow connection to port 25 to send mail"

        There used to be a saying that no application was mature until it included an email server.

    2. DS999 Silver badge

      "Useful for those who know what they're doing"

      Just about anything is useful for those that know what they are doing.

      An interface to alter engine timing while you are driving, useful if you know what you are doing. An interface to override coolant flow in a nuclear reactor, useful if you know what you doing. For that latter, there might not be anybody who REALLY knows what they are doing well enough to fuck with it, but that wouldn't stop people who WRONGLY believe they know what they are doing well enough to do so.

      This should not be the bar for adding a capability to a browser that is enabled by default. The bar for adding something to a browser that is enabled by default should "will this enable new classes of malware and make the problem of malicious web pages larger than it is today?" and unless you can answer "no" it should NOT be added, or if they are MUST always be disabled by default and appropriate warnings shown if you try to enable it. Just like stuff like a web interface to bluetooth or GPS should NOT be added, or if they are MUST blah blah blah.

      Google just wants to destroy the world.

    3. Doctor Syntax Silver badge

      Re: I have a bad feeling about this

      "a potentially useful development for those who know what they're doing"

      Just because you can do something doesn't mean you should. Even if you think your know what you're doing.

  9. Steve Davies 3 Silver badge

    Brilliant

    Now that web safety has been completely solved,

    That sentence needs to go down in El Reg history.

    That aside, there is a reason why Chrome is banned from my network. Anyone in the IT world would see the grand canyon sized holes in this idea.

    Google really have lost the plot unless it is all part of their next generation slurping system.

    1. jake Silver badge

      Re: Brilliant

      "Google really have lost the plot"

      They haven't even read the CliffsNotes[0] from what I can tell.

      They see that familliar black & yellow "under construction" sign, and all they comprehend from that point forward is the Almighty Buck .... and fuck everyone and everything that they trample in its pursuit.

      [0] That'd be Cliff's Notes if you are my age ...

  10. PeeKay
    Black Helicopters

    Trustworthy?

    Justin Schuh has a 'past life in USMC/NSA/CIA' - not sure this guy is entirely trustworthy - is it no wonder they want access to internal devices?

    This will end with Chrome and it's derivatives being banned from my networks.

    1. oiseau Silver badge
      Stop

      Re: Trustworthy?

      "... not sure this guy is entirely trustworthy ..."

      Not sure?

      Are you sure about that?

      O.

      1. VicMortimer

        Re: Trustworthy?

        Not Sure would definitely be more trustworthy than Trump.

    2. IGotOut Silver badge

      Re: Trustworthy?

      "This will end with Chrome and it's derivatives being banned from my networks.'

      So Safari then?

      1. DS999 Silver badge

        Re: Trustworthy?

        Or Firefox.

    3. Anonymous Coward
      Anonymous Coward

      Re: Trustworthy?

      "This will end with Chrome and it's derivatives being banned from my networks."

      I did that years ago.

      For the users where I wasn't allowed to ban it, I had a little script I liked to call fuckchrome. Stick it on their machines, and they'd have a random amount of time from 30 seconds to 15 minutes after launch before Chrome would crash. They knew better than to come to me to complain about it, because all that would get them was a "I told you not to use that garbage."

      1. Yes Me Silver badge
        Unhappy

        Re: Trustworthy?

        They (Google) don't care about your users. They care about the mass market, which is where they collect the private information that makes advertisers super happy.

        I was forced only the other day to fire up Chrome, by a video streaming site that simply told me that my other browser was no good. Also because using Chromecast except from Chrome is a bust. So they got a bit more of my private life into their machine learning system.

        1. hnwombat

          Re: Trustworthy?

          Of course they don't care about the users. The users are the *product*, not the customer.

        2. John Brown (no body) Silver badge

          Re: Trustworthy?

          Chrome is the modern IE6.

          "Best viewed using Chrome - because we use "features" of Chrome that no other browser has and are used right at the start of the page render so royally fucking up page display in any other browser."

        3. jake Silver badge

          Re: Trustworthy?

          "I was forced only the other day to fire up Chrome"

          Forced? Were they holding a gun to the head of your firstborn or something?

          Or do you mean "I had to because SHINEY!!!!1!"?

          1. doublelayer Silver badge

            Re: Trustworthy?

            "Forced? Were they holding a gun to the head of your firstborn or something?

            Or do you mean 'I had to because SHINEY!!!!1!'?"

            Well, I wasn't that person, and I haven't been forced to run browsers for a while, but maybe it was one of those services that it's not that easy to avoid. For example, services where you have to submit paperwork that your employer or government is asking for. Those sites have a distressing tendency to demand one browser, and while they sometimes work in other ones, sometimes they just don't. You could hope that the system concerned has a mail or fax option (if you don't mind printing things and waiting a week for the post and two or three for someone to pick it up and process it), but otherwise you're a little forced to use what they're asking you to use. Not deadly force, but force nonetheless.

            1. jake Silver badge

              Re: Trustworthy?

              The person I was responding to was forced "by a video streaming site". SHINEY!!!!

              As for your argument ... When I run across government sites that don't allow me to use my browser of choice, I simply tell them that their broken software doesn't run on my machine, please give me the alternatives that are available by law under 42 U.S.C. § 12101 ... either that, or they can ship me a machine that'll run the broken code. It might take a week or three, but I have plenty of time.

              To date, I have never been penalized. It's their fault that their system is broken, and they know it.

              If you just sit and take it, eventually they won't let you sit anymore. But that's OK, because you probably won't feel like sitting after taking it long enough ...

        4. AVee

          Re: Trustworthy?

          True. And this shows that this level of control was the real reason the wanted to get rid of plugins like Flash and Silverlight in the first place. If you try to replicate all functionality of those plugins right in the core of the browser you will run into all the same issues. And Google sure seems to be eager to do that...

    4. jake Silver badge

      Re: Trustworthy?

      You mean you haven't banned Chrome yet? Why ever not?

  11. chivo243 Silver badge
    Holmes

    No Chromium for my friends at the bar

    I got a bad feeling about this one, keys to the kingdom anyone?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021