On Monday, July 14, 2014 2:00:47 PM UTC+3, Gervase Markham wrote: > On 13/07/14 18:35, Vasilis wrote: > > > Jonas, I would be really interested in your thoughts. Try as we might > > > (in the WebSerial API docs, at least), noone could actually think of > > > a use case where providing access to a physical (RS232), or Virtual > > > (VirtualUSB or VirtualBluetooth) serial port could be a privacy > > > and/or security issue. > > > > > > It's a whole different beast when you provide access for cameras or > > > any USB device, of course, but what could someone do with access to a > > > serial port? > > > > The WebSerial interface doesn't cover the Universal Serial Bus, then? > > > > For USB, the OS has some underlying knowledge of what the device is, > > right? So we could do permissions for USB on a per-device rather than > > per-port basis, which is the right way to do it IMO. But AFAIK that's > > not possible for RS232. > > > > Gerv
Which is the kind of exaggerated security for no real purpose that I mentioned. The three major OSes give you APIs to access any Serial-Port-like device (physical or virtual) in a straightforward manner, because, for all intents and purposes, those are Serial ports. Trying to go around this and map devices with ports ranges from hard (USB, Bluetooth) to impossible (RS232). I do agree with Kip, some Serial devices are important and/or dangerous, but do we really want to set the security of this based on the idea that someone from a government agency and/or industrial plan will use the power plant's controlling computer to: 1. Plug in a serial device, like an Arduino 2. Access the Internet 3. Go to a nefarious website 4. Give access to the PLC, and kaboom. Isn't that a little too much paranoia? Should we have restricted the Camera API because someone could have used it on a computer with a spycam, thus leaking goverment info and starting WW3? Vasilis _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
