When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites connect to Bluetooth devices and harvest information from them through the browser.
[...Pete] LePage, in the video, says: "Until now, the ability to communicate with Bluetooth devices has been possible only for native apps. With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API. "The Web Bluetooth API uses the GATT protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript."
Let's start with LePage's security-and-privacy claims: what Google means is that the server-to-browser connection is over TLS, and users have to allow connection with a touch or a mouse click. To reiterate: as a user, you have to explicitly grant the remote web app access to your Bluetooth gadgets before anything happens. Then you select a device to pair with the webpage, and away you go. The webpage can filter for devices, so for example, a health site can ask to be paired with gadgets that have a heart rate sensor. A site can't see any device until it is paired.
Source:
https://www.theregister.co.uk/2017/02/05/chrome_56_quietly_added_bluetooth_snitch_api/
(Score: 0) by Anonymous Coward on Tuesday February 07 2017, @05:56AM
...as a user, you have to explicitly grant the remote web app access to your Bluetooth gadgets before anything happens. Then you select a device to pair with the webpage, and away you go. The webpage can filter for devices, so for example, a health site can ask to be paired with gadgets that have a heart rate sensor. A site can't see any device until it is paired.
(Score: 1, Insightful) by Anonymous Coward on Tuesday February 07 2017, @06:10AM
Checkbox overload. OK sixty times. Sixty-one has something about bluetooth? Oops automatically hit 'ok' well I guess it was probably my bluetooth mouse and keyboard that chrome understands shortcuts from, yay.
(Score: -1, Troll) by Anonymous Coward on Tuesday February 07 2017, @06:56AM
Oh, but you are so naive, my precious AC!
probably my bluetooth mouse and keyboard
Mouse _and_ keyboard? Is that all, AC? (who is probably not AC anymore!) What about, oh, your car? Bluetooth connection. So why are your driving an Audi? Oh! Disposable income and a tendency to watch those movies with Audis in them, like IronMan? Advertising targeted. You are toast.
More than mouse and keyboard? Do you, perhaps, have a dildo with bluetooth capabilities? Oh, you don't? Well that is information right there. We will sign you up for more ads. (Isn't capitalism wonderful, if you want to be screwed in the ass?)
And now, you have a bluetooth headset, a bluetooth speaker, a bluetooth anal probe: all of these designed by the originator of the bluetooth protocol, you now, Harald the Bluetooth? Or, wait, it was Microsoft. Bluetooth= Microsoft. Let us sit down for a moment to let that sink in, bluetooth is a Microsoft "standard". And people are surprised it is being turned against them? Well, I am just going to have to send you the Bluetooth stream from my colonoscopy! Enjoy! Better than goatsex, or what ever that was back in the dark ages of the internets.
(Score: 2) by c0lo on Tuesday February 07 2017, @07:29AM
While you are getting assit, make sure your bluetooth is positioned properly, otherwise it may not go as smooth as you want.
Origin [wikipedia.org]:
The development of the "short-link" radio technology, later named Bluetooth, was initiated in 1989 by Nils Rydbeck, CTO at Ericsson Mobile in Lund, Sweden, and by Johan Ullman... Nils Rydbeck tasked Tord Wingren with specifying and Jaap Haartsen and Sven Mattisson with developing. Both were working for Ericsson in Lund.[9]
Stewardship [wikipedia.org]:
The specifications were formalized by the Bluetooth Special Interest Group (SIG)... It was established by Ericsson, IBM, Intel, Toshiba and Nokia, and later joined by many other companies.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by butthurt on Tuesday February 07 2017, @11:13AM
The SIG is headquartered in Kirkland, Washington.
-- https://en.wikipedia.org/wiki/Bluetooth_Special_Interest_Group [wikipedia.org]
Kirkland is located at 47°41′9″N 122°11′30″W (47.685821, -122.191729). It is bordered to the west by Lake Washington, to the east by Redmond, to the south by Bellevue, and to the north by Kenmore, Woodinville, and Bothell.
-- https://en.wikipedia.org/wiki/Kirkland,_Washington [wikipedia.org]
Redmond is commonly recognized as the home of Microsoft and Nintendo of America.
-- https://en.wikipedia.org/wiki/Redmond,_Washington [wikipedia.org]
Coincidence detected.
(Score: 0) by Anonymous Coward on Wednesday February 08 2017, @11:50AM
Damn, big N is on a roll!
Not only did they manufacture controllers on their new console for a specific type of hand size that's become quite popular in the USA, but they also managed to move their USA HQ to the place the Bluetooth Group would settle only a few decades later!
(Score: 0) by Anonymous Coward on Tuesday February 07 2017, @06:46AM
It's from google. How *won't* it be snitchy?
(Score: 1, Informative) by Anonymous Coward on Tuesday February 07 2017, @02:28PM
Anyone who has ever supported Windows users know that they click OK without ever reading the content, because OK has become the "dismiss" button in Windows.
Btw, Someone posted a screenshot of the "explicitly granting access" dialog, and the "no thanks" button was as easy to find as in the Windows 10 upgrade dialog.
(Score: 3, Insightful) by NCommander on Tuesday February 07 2017, @06:58AM
To an extent, I get why this exists, so that people with Bluetooth trackers and such can upload them directly to a website like Fitbit without having to bother to install software. What bothers me is this idea that the web-browser *has* to do everything. My desktop computer has a bluetooth dongle on it so I can use a BT mouse. If I grant access to a website to talk to my BT adapter, it could theoretically find my phone since that's paired and try and do OBEX FTP since my desktop and phone trust itself.
Users typically click through dialogue boxes; this is a fairly well known fact. So even if the browser says "Website soylentnews.org wants to access your bluetooth adapter", a lot of people are going to say yes. If your phone is also paired to said adapter, you could be fucked over. This type of functionality is why crap like NPAPI (or Chrome PNaCL) existed; so a specific website can install an add-on to a browser to do this kind of crap and not have it so every copy of Chrome in the world is one potential exploit away from downloading crap from your phone. Now that we're in a post-plugin world, any add-on functionality we want has to be part of the browser.
Why the fuck did anyone think this is was a good idea?
Still always moving
(Score: 3, Interesting) by NCommander on Tuesday February 07 2017, @07:00AM
Update: having now actually read the specification, its limited to BLE GATT profiles. That's *slightly* better since GATT is essentially used to read iBeacons and other locator tags. However, it has a read/write component so a phone can be used to configure with them; I did some freelance work awhile ago on implementing this on a microcontroller. Still absolutely braindead. I wish the Mozilla folks would get their heads out of their ass and stop making Firefox suck so I could switch back to it as my primary browser, but I'm not exactly holding my breath on that note anymore.
(I've tried Pale Moon, but I find it to be rather laggy on Linux. It's OK on Windows).
Still always moving
(Score: 2) by c0lo on Tuesday February 07 2017, @07:34AM
Maybe its best to look int lynx again? it's the oldest browser still maintained.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by boltronics on Tuesday February 07 2017, @09:44AM
Funny you should mention that. I recently (as in, the last week) switched all my computers over to Pale Moon because Firefox was too laggy.
Last week at work, I clicked the Firefox launcher icon (Firefox ESR under Debian Jessie on an i7-930 with 24Gb of RAM), waited about 5 seconds, got tired of waiting and clicked on the Pale Moon launcher icon, Pale Moon opened and I typed in the URL, the page started loading and then Firefox finally appeared. At that point, Firefox just had to go.
Well, that and that they took out Group Tabs and said "use this extension if you want it back", and then shortly afterwards the developer of the extension said he wouldn't be maintaining it anymore due to Mozilla changing the API in a way that would basically require a complete rewrite.
Also, Firefox Sync is no longer compatible with my ownCloud Sync server (without messing around a lot in about:config at least), whereas Pale Moon uses the better, older Sync method that continues to work just fine. Pale Moon for Android also works fine with ownCloud Sync, whereas Firefox Mobile does not, so I made the switch on my phone too.
Oh, and Pale Moon doesn't have all of the privacy issues that I previously had to fix every time I installed it - disabling domain security checks, crash reporting, etc. And I don't need to worry about EME extensions and all that nasty DRM in my browser. I've been using Firefox since it was called Phoenix (which was before it was called Firebird). Wish I had tried switching sooner.
It's GNU/Linux dammit!
(Score: 0) by Anonymous Coward on Tuesday February 07 2017, @12:23PM
stop making Firefox suck so I could switch back to it as my primary browser
What are you using?
I've recently switched to QupZilla, which i like, but it isn't very stable. I don't really like chromium and Opera isn't open.
(Score: 0) by Anonymous Coward on Wednesday February 08 2017, @03:22PM
"Update: having now actually read the specification, its limited to BLE GATT profiles". Not for long.
(Score: 2) by Pino P on Tuesday February 07 2017, @02:00PM
What bothers me is this idea that the web-browser *has* to do everything.
The alternative is the status quo: native applications that have to be ported separately to each combination of instruction set and operating system. This usually means Windows only, macOS only, or Windows and macOS. Users of minority operating systems get left out. The same would be true of NPAPI.
(Score: 4, Insightful) by DannyB on Tuesday February 07 2017, @03:07PM
Because it will offer some deliciously sweetly addictive features. "Oh, look! I can control Farmville from my phone through my browser on my desktop computer!" (God only knows why) Or, "Look mommy, come down to the basement and see!, I can control my LED bulbs from a browser app!".
It's the old pattern. The first hit is free. Make the magical experience so easy, sweet, pleasantly amusing that they discover they can't live without it. We carry tracking devices in our pockets that can listen and record video without our knowledge. We set up Smart TVs. Webcams. Devices that listen in our homes all the time. "Ok Google, what race of girlfriend should I get to go with a blue decorating scheme?". Or this: "Alexa, did Trump change the white house WiFi password to Mike has a small Pence?". The thing about Amazon Echo is that it even has a convenient privacy / mute button to notify Amazon that you're about to discuss something really really interesting. People have OnStar always listening in their car and now are shocked, shocked I tell you that the government may want to listen in. Or the FBI wanting to listen in on Alexa. Have a wonderful day in the magic kingdom! Just wait until Smart TVs universally have webcams and mic pickups to facilitate video chatting from your living room. It will come, I promise. People are just too stupid. The coolness of the feature will be too appealing to the idiocracy. The appeal to big brother is just too great. Now imagine if the idiocracy were ever to vote a madman into power. I mean a total lunatic clown who can be manipulated and will think his conclusions are actually his own idea and brilliant insight to the problem artfully presented.
I hope this helps illuminate why web browsers will soon all have bluetooth support. It will enable cool new applications. Some of which may even seem good and improve our lives in some way. That will propel it to success.
It's fun to watch the dystopian future unfold. (I didn't want to say unravel just yet.) But there has been plenty of talk about foreign powers hacking our elections. Fake news undermines what you can trust, which I think is it's true deeper purpose rather than to just spread the immediate fake story.
Stay asleep as the wheels come off.
What doesn't kill me makes me weaker for next time.
(Score: 2) by DannyB on Tuesday February 07 2017, @03:18PM
I've been on the lookout for the next JRE since the late 1990's.
For a long time, for me, it has been the JRE.
What I want since the mid 1990's and was on a search for the Holy Grail:
* Platform portability without having to rewrite
* and the big one: portable GUI across platforms
* Access to all major platform features
* High level language, ideally with GC, Lambdas, maybe true closures, etc enabling very high level problem domains
The JRE pretty much fills the bill.
Now days one can look at Node.js and even Electron to build "native" GUI applications.
Back in about 2003 I was seriously thinking about OpenOffice.org as my "platform" for building things upon. Browsers were hopelessly inadequate and incompatible (but I had the vision of the potential). But OpenOffice.org really was cross platform and had a portable API and you could, to some extent built actual GUI applications in it with difficulty. And you could use several languages. But you had to deeply learn the API and push the capabilities to the absolute limit. Even then there were some limits to the custom dialog boxes and windows you could create. The amount of effort wasn't quite worth it. And it didn't have a very good deployment story.
I also considered XUL. FireFox is open source. It has a good deployment story. You could build a portable application with a native looking UI.
Now browsers seem to have finally become the portable substrate upon which real, powerful, and performant applications can be built.
I'm sure I haven't been the only one in this quest for the Holy Grail for building applications. It may not exist. But it seems like it should. So I continue the search for it. It now seems closer than ever. A way to build an application, that is cross platform and doesn't have to be rewritten. Is not tied to a monopolist platform.
I won't even bring up mobile device applications. Won't even mention it. No, nosiree.
What doesn't kill me makes me weaker for next time.
(Score: 2) by tibman on Wednesday February 08 2017, @04:29PM
I'm just going to blame executable permissions here. Operating Systems are horrible about letting you safely run a native application that you download off the internet. Web browsers have proven to be much better at permitting random people to run executable code in a closed and limited container. Would you trust a random website that was offering *.exe (*.sh or whatever) programs that interfaced with hardware? Hell no! That's why we're going to end up with an OS in the browser. Current OSs can only safely run random programs if you virtualize them and run an entire throw away OS inside of another OS. That's just garbage.
I agree with you that a plugin should have been the way to go. Even flash is built in though : /
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Rich on Tuesday February 07 2017, @08:48PM
Heh. Finally a topic where I can reasonably post this comment, of an idea that occured to me recently after being similarly being reminded how fat browsers got:
We need Browsing as a Service. BaaS. Some lard-assed browser, like recent Firefox or Chrome will sit in the cloud, and be accessed through a thin client that only does display and input. That way, all the light and nimble devices with a meager (tell that to a mainframe op of the '80s...) 1 GB of RAM or so, have access to all the comfort that a modern "full feature" browser provides. And on top of that, the client would never have to care about updating.
To touch the proper topic, I, purely out of sanity, wouldn't tunnel Bluetooth through said client, though...
(Score: 0) by Anonymous Coward on Wednesday February 08 2017, @01:05AM
You should look into X or Wayland...