Hi, On Thu, 16 Mar 2017, Graeme Geldenhuys wrote:
> And this brings me to my next worry. As far as I understand, WebAssembly > is C (for now - other languages to follow) compiled into WebAssembly > bytecode. So now we have C code with all its pointer access, buffer > overflow issues etc running in the web browser space - at least Java > Applets were a lot safer in that regards, and Java Applets require > explicit signed executables and granted permission by the end-user (per > app, per domain etc). WebAssembly just runs - no questions asked. Yes. Much like your average Javascript snipet. But even if it's compiled from C (or Pascal, eventually... :P), it doesn't mean it can just poke pointers whereever it feels like, there are several protection layers between the bytecode and the native code, the JIT engine itself, the browser, and the OS. Also, most browsers run most pages in isolation anyway. I agree though that some kind of code signing would be benefical. Also, the major problem with Java and other plugins security faults were, that the organizations behind them moved with glacial speed, and sometimes (Flash, Silverlight) they were even closed source, which made it impossible for browser vendors to act quickly and patch things up. None of this is true for WebAssembly. > Then we have the issue of code being obfuscated when compiled into > bytecode. So now it is even harder to detect malicious code. There are already decompiler tools for WebAssembly, which translate the bytecode back into the AST or even some JS-alike syntax. It's not that much less human readable, than a deobfuscated JS code, which someone ran through an obfuscator before, IMO. > It seems I am not alone in thinking this way. Just read the comments > posted at the link listed in the first message of this thread. I think there's still a master switch to disable this in the browsers. I'm sure there'll be tricky attacks, but these happen with normal JS anyway. But I don't think it'll be such a disaster as people predict. (And I'm usually quite pessimistic about such things.) Charlie _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal