Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com)

Posted by msmash on from the connected-things dept.

Jon Fingas, writing for Engadget: Don't look now, but your web browser is about to become aware of the devices around you. After months of testing, Google has switched on broader experimental support in Chrome and Chrome OS for Web Bluetooth, which lets websites interact with your nearby Bluetooth gear. You could use a web interface to control your smart home devices, for instance, or send data directly from your heart rate monitor to a fitness coach. At the moment, trying Web Bluetooth requires the stars to align in just the right way. You'll need a pre-release version of Chrome 53, and you'll naturally want to find (or create) a website that uses the tech in the first place.

21 of 151 comments (clear)

  1. Do not want by Anonymous Coward · · Score: 5, Insightful

    Please stop this.

    1. Re: Do not want by tepples · · Score: 2

      Google's page about this new feature states that a site cannot use Bluetooth until the user clicks:

      User Gesture Required

      As a security feature, discovering nearby Bluetooth devices with navigator.bluetooth.requestDevice must be called via a user gesture like a touch or mouse click.

      Did you click to enable "porns ads blasting out of your sound bar"? Did you click to enable "your Skype chats being intercepted by blackmailers"? DId you click to enable "websites that can keylog your friend's BT keyboards"?

    2. Re:Do not want by internerdj · · Score: 2

      On the other hand, every website in the %#@*ing world wants me to use their terrible app and put their greedy little fingers in my phone rather than let me use their mobile capable website. If this means companies will start relying on browsers again, bring it on and give me more.

  2. No, it won't by somenickname · · Score: 2

    "Don't look now, but your web browser is about to become aware of the devices around you.".

    No, it will not do that and it will never do that. Because that's a terrible fucking idea.

  3. Re:If not web, then what OS-independent platform? by TheGratefulNet · · Score: 4, Insightful

    yes.

    I won't accept a browser that should be SAFE, touching things it should not.

    another example of the google children not thinking deeply about what they are doing. simply just doing because they CAN rather than because they SHOULD.

    if google is behind it, chances are its invasive and not in your best interest, more often than not.

    sigh......

    --

    --
    "It is now safe to switch off your computer."
  4. Nope! by ilsaloving · · Score: 2, Insightful

    All aboard the nope-train to nopeville!

    Apparently no one at google ever saw Jurrasic Park, or they would know that scene with the line "Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should."

    The internet is a cesspool of fetid, rotting miasma, and you want it to be able to control real world things with no managed server in between? Are they really that thoughtless? Apparently they are!

    1. Re:Nope! by TheGratefulNet · · Score: 2

      this proves it, time and time again, that CHILDREN are running google

      "hey, neat-o! lets do THIS. and THIS. annnnnnd THIS."

      yeah, children who don't understand that because you can does not mean you should.

      they are totally out of control and mgmt seems to not care. or, mgmt is also filled with twentysomthings who are too new to the world to really get what the implications are of their actions.

      I wish some adults would be in charge of this IoT madness, for a change.

      --

      --
      "It is now safe to switch off your computer."
  5. Re:If not web, then what OS-independent platform? by TheGratefulNet · · Score: 4, Insightful

    I can choose NOT to run a closed-source app.

    how do I know that my browser is not doing bad things behind my back? I have a browser open all the time, as do most. that, alone, makes this idea super stupid.

    if I choose to run a BT app, I'll run one that I trust. and I'll end it when I'm done.

    I have zero need for linking in vmlinux to a FUCKING BROWSER and making the fucking thing bootable. given time, the children at google will want to do that, too.

    oh, and systemd needs to be mixed into this somehow. I feel it will be more complete if they do that (lol).

    --

    --
    "It is now safe to switch off your computer."
  6. Problems with BT & Chrome OS on Multiple Devic by mykepredko · · Score: 4, Interesting

    I have been taking advantage of the BT (SPP/RFCOMM) operation in Chrome and ChromeOS for a white now on a variety of devices and for the most part it works quite well. My app is a Chrome App (Extension) in which the code is written in JavaScript.

    Unfortunately, when you have multiple ChromeOS systems (ie Chromebooks) connected to BT devices simultaneously, you experience some weirdness (previously paired devices not being found with a "undefined" error and requiring several connection attempts as well as connections failing after a few minutes). I'm working at figuring out what the problem is.

    The Chrome.Bluetoothsocket discover and connect APIs will find, pair and connect devices quite nicely on all Windows and Linux systems but not Macs. Macs require going into "System Preferences" and pairing your device beforehand. Linux requires something like Blueman to be installed and works reasonably well.

    This could provide some interesting functionality, but I suspect there will be problems with the first implementations along with the issues listed above. It will probably be solid in 2-3 releases (4 to 6 months) after multiple users have identified issues with it.

    --
    Mimetics Inc. Twitter
  7. HTTPS only. Again. by tepples · · Score: 3, Interesting

    Another day, another new web API that's impractical to test across a home or small office LAN, just like Service Workers before it.

    you'll naturally want to find (or create) a website that uses the tech in the first place.

    I have one machine on my home LAN that I want to use as a server, and another machine that I want to use as the client. But from Google's page about this new feature:

    HTTPS Only

    Because this experimental API is a powerful new feature added to the Web, Google Chrome aims to make it available only to secure contexts. This means you’ll need to build with TLS in mind.

    It recommends running python -m SimpleHTTPServer on localhost. But that fails if the web server and web browser are running on separate machines, which might be the case if the machine that you are using as a web server to test your app, such as a Raspberry Pi board, is incapable of running Google Chrome or incapable of connecting to Bluetooth devices.

    I personally enjoy GitHub Pages for demo purposes.

    That's fine for demos that have reached the stage where they are ready for public consumption. I'm referring to the stage before that.

    To add HTTPS to your server you’ll need to get a TLS certificate and set it up. Be sure to check out the Security with HTTPS article for best practices there. For info, you can now get free TLS certificates with the new Certificate Authority Let’s Encrypt.

    Let's Encrypt issues certificates only for domains that have either A. publicly reachable dynamic DNS or B. a publicly reachable HTTP server. Neither of these is likely to apply to a machine on a home or small office LAN.

    1. Re:HTTPS only. Again. by tepples · · Score: 2

      A related but different question:

      I plan to develop an application that runs on a PC and acts as an HTTPS server that other PCs on the same home LAN can access. It cannot be accessed from the Internet; connections from outside 10/8, 172.16/12, or 192.168/16 are refused to protect the privacy of the information that the application stores.

      I want to make a web application instead of a native application so that I don't have to spend five times as long remaking the application for five different operating systems (Windows, macOS, X11/Linux, Android, and iOS).

      I have to use HTTPS instead of cleartext HTTP in order to make the page a secure context for sensitive web APIs. If a script on a cleartext HTTP origin other than the local machine attempts to access a sensitive web API, the browser will instead raise a security exception. Here are some examples of internal web applications that would need to use a sensitive web API:

      • An internal web app with functionality similar to Snapchat that operates only within a home would need Media Stream in order to use the camera, but Media Stream is HTTPS-only.
      • An internal web app to scan barcodes of products purchased at a grocery store would also need the camera.
      • A video streaming app wouldn't need HTTPS just to run, but it would need HTTPS to go full-screen.
      • A LAN game using WebGL would likewise need to go full-screen and/or set a pointer lock so that the player can aim with the mouse.
      • ObTopic: Likewise for a Bluetooth pedometer to count the steps that each member of the household has taken while wearing it.

      HTTPS is HTTP on TLS, and TLS needs a certificate. So what certificate should this app use? Should the app act as its own CA and require the user to install the app's root certificate on each machine that accesses it? I don't see how that would be practical for home users who aren't particularly tech-savvy.

    2. Re:HTTPS only. Again. by AmiMoJo · · Score: 2

      For testing you can simply generate your own certificate and manually install it on your PC and server. You only need to buy one if you need it signed by someone in the chain of trust, but if it is just for testing on your own systems then you, as administrator, have the power to trust whatever certs you like.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Security is hard by sjbe · · Score: 2

    I can choose NOT to run a closed-source app.

    True though in practical terms that is of less value security wise than many imagine.

    how do I know that my browser is not doing bad things behind my back?

    Unless you've audited the code of the browser and compiled yourself it with a compiler whose code you also have audited you cannot know if a browser is doing bad things behind your back. That is true whether or not the source code is open source or closed. Open source does have its advantages but it just changes the attack surface rather than eliminating it.

    1. Re: Security is hard by ilsaloving · · Score: 2

      The browser isn't the issue. The issue is the drive-by ad-network delivered malware that people don't even know they're getting when they visit a random site. Even if you go to a site that you trust, there's *still* no guarantee that you're safe because they may serve something malicious by accident. This has happened more than enough times that this scenario should be front and center in everyone's minds.

  9. Chrome's sandbox by tepples · · Score: 2

    Native apps can be walled off by lightweight virtualization technologies

    Google Chrome already runs inside a sandbox that provides something akin to the "lightweight virtualization" you suggest.

    or even simply separate user accounts enforced at the kernel level.

    So if a home PC has five users, one for each member of the household, and 50 apps installed, would it need 250 user accounts, one for each member of the Cartesian product of users and apps?

  10. Re:If not web, then what OS-independent platform? by DarkOx · · Score: 4, Insightful

    Native apps don't usually mix in code from untrusted sources at run time they way basically every web app that includes ads of any kind does.

    Native apps don't usually have comments and data from other untrusted users that would by trying attacks like XSS against me. Native apps won't be vulnerable to CSRF and similar either.

    The web browser is a little to open a platform for giving access to hardware like that.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  11. Different attack surfaces by fyngyrz · · Score: 2

    There is still a notable difference between knowing you let the browser run on your computer, and knowing you let random websites reach out and meddle with your bluetooth devices.

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:Different attack surfaces by AmiMoJo · · Score: 3, Insightful

      I have bad news for you. All major browsers have been offering web sites access to any attached webcams and microphones for many years now. Of course they ask you if you want to allow access first, and you can set an "always disabled" flag, but the code is in there.

      I find it quite amusing what Google has done. They build an OS on top of every other OS in the form of a browser, making the underlying system pretty much irrelevant. All apps run in the browser now - Google's office apps, their cloud file storage, video conferencing and soon health monitoring via Bluetooth sensors.

      I still don't want it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  12. Re:If not web, then what OS-independent platform? by exomondo · · Score: 2

    how do I know that my browser is not doing bad things behind my back? I have a browser open all the time, as do most. that, alone, makes this idea super stupid.

    Well you say you have a browser open all the time so you're obviously not very worried about your confidence that it's not doing bad things behind your back right now.

  13. Re:Why can't we leave it alone by tepples · · Score: 2

    Because developers want to deploy applications to users of Windows, macOS, X11/Linux, iOS, and Android. A native application works only on a single operating system unless separate native applications are made for each operating system. If accessing local storage, the camera, Bluetooth, or other features of your computing device requires a native operating system, then it'll likely end up being your preferred operating system that gets left out.

  14. Excellent by easyTree · · Score: 2

    My bluetooth-powered ad-blocker is almost complete.

    --
    Requiem for the American Dream