A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

[Proposal] Neighbour Awareness Networking JS API

feliperias
2019-04-07

Neighbour Awareness Networking, also known as Wi-Fi Aware, is a Wi-Fi specification that enables devices to discover and connect directly to each other without requiring any other type of connectivity between them.

Making this functionality available to websites would enable them to create fast and convenient connections between users who are physically close, opening up new ways of approaching the creation of Web solutions.

However, this can not be done lightly: a careless use of this technology would pose severe threats to privacy and security.

This is an early draft proposal for a JavaScript API for NAN that tries to balance usefulness and user safety. The goal is to make it easy to discover and connect to people who have allowed you to do so, and only to them.

See here for more details, use cases, draft API and implementation notes:

reillyg
2019-04-12

This is an interesting proposal and I’ve also been looking for a solution in this space however I have a couple concerns,

  1. This seems specific to a new subset of the Wi-Fi standards, Wi-Fi Aware. Is it possible for this to be extended to work over any existing Ethernet network?
  2. Has there been any consideration of how to prevent malicious local devices from impersonating a peer? From an HTTP perspective this seems to allow arbitrary unauthenticated connections to any other local network host.
feliperias
2019-04-15

Thank you for the feedback, those are good questions.

  1. The main focus of this proposal is to connect users that are physically close. This proximity lets you use technologies (Aware, NFC, Bluetooth) and user actions (e.g. tap phones together) that can make the connection process more convenient and secure. A solution that worked over any existing Ethernet network might end up using some of the same ideas and technologies, but I would consider it a separate line of work.

  2. Regarding user authentication, it is true that the mechanism sketched in the proposal is still pretty naïve. I am still exploring how this proposal would fit with existing Web technologies. In particular, I wonder whether some of the ideas in the Web Authentication API might be translated to this scenario.