Hacker News new | past | comments | ask | show | jobs | submit login

> So government website now uses JavaScript to connect to 127.0.0.1:12345 using websocket.

It sounds like random other websites (Ebay, etc) would be able to interact with people's USB devices this way too. Maybe without people knowing?




Yes, if this is programmed badly (missing security or a security hole).

The browser connecting to the government website accesses two servers: the original one and the second local one you install yourself on your system. The local server runs natively and therefore can access the USB device. Like all servers it should be programmed such that misuse by hackers is prevented.


That's already a security hole.

The only thing missing is a rogue website abusing it.

There's no guarantee you will never connect to any rogue website that abuses this government mandated backdoor.


When JavaScript establishes websocket connection, it sends its origin URL (I don't remember exactly where, probably that's in Referer header). So local webserver can deny connections from unwanted websites.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: