Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is a little confused. The idea behind the permissions model is that the browser suite is responsible for mediating access to the hardware. Obviously, yes, you need to give it access to the hardware in the first place for it to do that. If you don't trust the browser as a manager of a hardware abstraction layer, that's fine. But that's the model that Via expects. I don't see how it's any more "creepy" than letting your browser read your camera or microphone or storage.

I can go to https://usevia.app on a locked down employer-managed chromebook and hit my QMK keyboard with no trouble whatsoever. And needless to say I can't touch the /dev nodes at all on this box.



Because the browser interacts with my camera/mic through specific media APIs that don't allow it to flash the firmware.


Uh... you can't "flash firmware" via USB HID. WebUSB in fact does not allow raw access to arbitrary devices, it works with specific defined protocols.


Sorry, you're right. I guess it allows you to just change settings. Still, its unclear what those settings constitute, and how easily a keylogger could be embedded there.


QMK is open source keyboard firmware. Obviously yes, you can install a keylogger. You can't download one via a web app.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: