hngopher.com

       [HN Gopher] New Attack Shows Risks of Browsers Giving Websites A...
       ___________________________________________________________________
        
       New Attack Shows Risks of Browsers Giving Websites Access to GPU
        
       Author : LinuxBender
       Score  : 18 points
       Date   : 2024-03-18 18:34 UTC (4 hours ago)
        
 (HTM) web link (www.securityweek.com)
 (TXT) w3m dump (www.securityweek.com)
        
       | superkuh wrote:
       | Websites are at least supposedly sandboxed so they are not as
       | much of a risk as running native binaries. But this is getting
       | worse and worse though as browsers expose more and more of their
       | host operating system's functionality. The benefits of using a
       | website instead of a native application are quickly disappearing,
       | while the drawbacks have only been somewhat mitigated. We're
       | getting to the point where browsers are worthy of the decades old
       | criticism Emacs has received. They have eventually become an OS
       | with many fine features - simply lacking a good web browser.
        
         | jeroenhd wrote:
         | I don't necessarily have a problem with technologies like
         | these, but it irks me that they're all being enabled without
         | proper security prompts. Accessing GPUs/USB devices/MIDI
         | devices should come with the same security boundaries
         | downloading executables comes with, at least until sandboxes
         | catch up.
         | 
         | WebUSB is pretty great when it's used for the right things
         | (updating the Google Stadia controller, flashing ESPHome, that
         | sort of thing) so I sort of see the value in that, but the
         | risks of these technologies are being ignored, especially on
         | the GPU side. GPUs are absolutely terrible at separating
         | application code because they're designed for performance above
         | all else.
         | 
         | Is a security warning for this stuff really that much to ask?
         | Surely, clicking OK on the two or three websites that actually
         | have a use case for WebGPU should be an acceptable trade-off?
        
       | hulitu wrote:
       | > New Attack Shows Risks of Browsers Giving Websites Access to
       | GPU
       | 
       | Just don't tell them about USB, ok ? /s
       | 
       | Some people never learn.
        
         | jeroenhd wrote:
         | WebUSB exists, but requires explicit permission to a specific
         | device. I'm still not entirely comfortable with exposing that
         | kind of API to people who have no idea what USB even is, but
         | it's a lot safer than WebGPU.
        
         | 1oooqooq wrote:
         | or midi, and god forbid exploit some bug in a local only 30yr
         | old sound driver
        
       ___________________________________________________________________
       (page generated 2024-03-18 23:01 UTC)