back to article WebAssembly gets nod from W3C and, most likely, an embrace from cryptojackers online

The World Wide Web Consortium (W3C) on Thursday published three WebAssembly specifications as W3C Recommendations, officially endorsing a technology touted for the past few years as a way to accelerate web code, to open the web to more programming languages, and to make code created for the web more portable and safe. “The …

Page:

  1. JohnFen

    I will not use this

    It's too dangerous to allow random websites to execute code on my machine as it is, which is why I don't allow most sites to execute any client-side scripting. It's nice that WebAssembly uses a sandbox, but that doesn't really reduce the risk enough for me to be comfortable with it.

    So, no WebAssembly for me.

    1. Anonymous Coward
      Anonymous Coward

      Re: I will not use this

      It's cute you think you will have a choice long term but I hear ya.

      1. vtcodger Silver badge

        Re: I will not use this

        It's cute you think you will have a choice long term ...

        I fear that you've nailed it. I think that Web Assembly -- which looks to be a **REALLY** BAD IDEA will likely turn out to be the final nail in the Internet's coffin. The inscription on the gravestone should read "The Internet 1991-2021. So much promise. Sadly unfulfilled"

        1. James Ashton

          Re: I will not use this

          Please don’t confuse the internet with the World Wide Web.

      2. JohnFen

        Re: I will not use this

        How will I not always have a choice? The worst that could happen is that the bulk of the web will be unacceptable for my use, but honestly, that's already true.

        1. Anonymous Coward
          Anonymous Coward

          Re: I will not use this

          >The worst that could happen is that the bulk of the web will be unacceptable for my use, but honestly, that's already true.

          Which is fine until government or your company decides it will make something that is mandatory for you only available through the web running WebAssembly (again long term). Web is quickly becoming a necessary utility like power in modern life. Hopefully it will be like Javascript and NoScript is now but direction Chrome (and perhaps eventually Firefox) is headed who knows. Death by a 1000 cuts.

          1. JohnFen

            Re: I will not use this

            "Which is fine until government or your company decides it will make something that is mandatory for you only available through the web running WebAssembly (again long term)."

            So far, it doesn't look like that day is on the horizon. No company I interact with requires the use of their website (they all provide other means of interacting with them, even if it's a phone call or a visit to an office), and I don't see any sign that will change. Same with government agencies.

            However, should that day actually come within my lifetime, I can always use the computers at the local library.

            1. Anonymous Coward
              Anonymous Coward

              Re: I will not use this

              Good plan I suppose but for the other 90% of punters WebAssembly is probably eventually going to run on their phone browsers or smart appliances, etc with them none the wiser. We really are the exception.

    2. Lee D Silver badge

      Re: I will not use this

      No worse than anything else.

      It's basically the same as the Javascript (ECMAScript) permissions - given that WebAssembly has its roots in the "virtual machine" made in Javascript.

      Seriously, the problem is not what technology you choose, but how stupid your browser manufacturer's are.

      P.S. You've had a webassembly-enabled browser for several years now, I guarantee it.

      Go play with Emscripten, which has been compiling to Webassembly for a long time already. It's basically bound by the browser DOM security model. If that was broke, it really doesn't matter *what* language you've been using.

      But you'll notice that you can't access local files, you have to run code from remote websites (so you can't just be pointed at something compromised on a local network machine), that permissions to audio, video capture and everything else are: the same damn permissions you've got available to every website and are denying/allowing already. It doesn't allow arbitrary file, memory or resource access. Hell, you have to jump through hoops just to preload files from a website and access them in a virtualised storage in order to do anything on them, and the performance hit is enormous because of the way it's done (but still more than viable for 99% of things you want to do in a browser because, hey, it's a browser).

      The only interesting thing is WebSockets, but that's no different to the myriad of websites that talk back in the same way over HTTPS already.

      Honestly, if your browser is dumb, it doesn't matter what language it's dumb in.

      WebAssembly is just Javascript-compressed. That's it. If there's a vulnerability in it, you had that vulnerability for the last 10 years in your browser already.

      But with Javascript, it's a pain in the arse to write a full 3D FPS (or, say, something like Sketchup for the Web). In WebAssembly, it's just another target for a compiler.

      And, no, if you compile a memory-unsafe language (say, C99) to WebAssembly, all that happens is that your code falls over inside the WebAssembly virtual machine. Arbitrary memory pointer access is actually faked by allocation of a giant array, for instance. There are some things you just can't do because the browser DOM and the inherent absence of a capability in WebAssembly stops you.

      Focus on the problem (browsers which don't implement proper security for their page interpretation) not the brand name on the language that exposes that (e.g. Javascript, WebAssembly). And, no, it's not even close to Java. Java plugins in browsers worked by Java having arbitrary access to the machine and then imposing its own (broken) security model. That's why Java plugins are basically dead now.

      1. bombastic bob Silver badge
        Unhappy

        Re: I will not use this

        "Java plugins in browsers worked by Java having arbitrary access to the machine and then imposing its own (broken) security model. That's why Java plugins are basically dead now."

        That's part of it, yeah [probably the biggest part]. However, what makes you think WebAssembly is NOT heading down the EXACT SAME PATH? I suggest that it _IS_.

        "Unsafe at any speed" - kinda fits this, too.

        Do you REALLY want automatically downloaded PROGRAMS being run by TRACKERS and ADVERTISERS (and scammers) running on YOUR computer? Just like the way I block scripting with NoScript, this 'WebAssembly' crap needs the SAME kind of treatment. Ideally, it can have a finer level of control applied to it, such as blocking 3rd party scripts, block 3rd party WebAssembly, or ALL WebAssembly for that matter...

        1. Blank Reg Silver badge

          Re: I will not use this

          There also needs to be finer control of permissions when you do want such a program to run.

          So if I give an application access to a local file, then it can only access that local file. If I give it permission to a directory, then it can only access that directory. And under no circumstances should it have access to any system files or directories.

      2. TeeCee Gold badge
        WTF?

        Re: I will not use this

        It's basically the same as the Javascript (ECMAScript) permissions...

        That's actually not very reassuring...

        1. teknopaul Silver badge

          Re: I will not use this

          Fyi google web assembly runtime is v8, i.e. the javascript runtime, they are not seperate projects.

      3. JohnFen

        Re: I will not use this

        "It's basically the same as the Javascript (ECMAScript) permissions - given that WebAssembly has its roots in the "virtual machine" made in Javascript."

        Yes, and I already don't allow almost any Javascript to execute in my browser.

        "Seriously, the problem is not what technology you choose, but how stupid your browser manufacturer's are."

        No, the problem is that websites cannot be trusted to execute code on my machine.

        "You've had a webassembly-enabled browser for several years now, I guarantee it."

        My browser allows me to disable it, which I do.

        "Focus on the problem (browsers which don't implement proper security for their page interpretation) not the brand name on the language that exposes that (e.g. Javascript, WebAssembly)."

        My problem is not improper implementations by browsers -- that's something that can be addressed. My problem is that even if the browser's security is 100% bulletproof, client-side scripting is still for more powerful and capable than I'm comfortable allowing web developers to use on my machines.

    3. bombastic bob Silver badge
      FAIL

      Re: I will not use this

      hopefully NoScript shuts that *#!+ off, too.

      from the article: "wasm modules operate in a sandbox that isolates them from the host runtime"

      I've heard this rumor about JavaScript, too. And yet, HOW MANY TIMES has it BEEN ABUSED to SPY on us, STEAL CPU CYCLES for crypto-mining, and so on???

      FACT: This is 3rd parties RUNNING CODE on YOUR COMPUTING DEVICE, quite possibly inviting RANDOM 4TH PARTIES [advertisers] TO DO THE SAME.

      Yeah "no security risk" doing THAT, right?

      My hacker-mind ALREADY envisions the potential abuse of THAT kind of "open-ness" on the CLIENT. And it's as bad as the first MS-DOS viruses and MAC viruses that prompted an ENTIRE INDUSTRY of anti-virus tools.

      NO THANKS opening my LINUX or FreeBSD box up to the SAME KINDS OF CRAP that Windows users have to protect themselves from...

      WebAssembly: *FAIL* (might as well use embedded Java objects, and WHY was that dumped again?)

  2. Elledan Silver badge

    Readability of JavaScript

    So, just how many folks would prefer digging through a mini-fied 1MB JavaScript source file relative to the organised & annotated disassembled source code of a WASM binary?

    Because having done JavaScript development for a living for a few years (it was a job...) I am not sure what this touted 'readability of JavaScript' is meant to be. After all JS source has been merged into a single file and minified to 'compress' it, it was sufficiently unreadable that even us JS devs would just try to replicate any issues on integration instead of trying to do any debugging on production.

    1. vtcodger Silver badge

      Re: Readability of JavaScript

      Indeed, A few months ago I took a shot at reverse engineering 700k of "compressed" Javascript to see if there was any chance of detecting when it was finished doing its work.

      My take. Reverse engineering of JS can be done. But not by me.

      I threw the whole thing out and replaced it with a hundred or so lines of Python that did the same job (faster) using standard tools like curl and image magick.

    2. MacroRodent Silver badge

      Re: Readability of JavaScript

      I haven't looked at this, but I expect there are tools to un-minify JavaScript. Just breaking the statements into separate lines and pretty-printing should go a long way. After that some facility to support replacing obfuscated identifiers with more meaningful ones (like good disassemblers allow doing to replace generated labels with readable ones), and the result should be easy to read.

      1. teknopaul Silver badge

        Re: Readability of JavaScript

        There are tools to do it dynamically in firefox. So you can publish minified js in production and also a map file that allows firefox debugger to unminify it so you can step trough the code as if it had been delivered before minification. Map files are generated by the same tool that minifies. I dont think you can reverse them if they are not published

        1. MacroRodent Silver badge

          Re: Readability of JavaScript

          I believe the map file solves a bit different problem: They don't unminify but allow deciphering errors and debugging in terms of the original source files and locations, instead of everything happening on line 1 of file bundle.js. But you cannot see the (hopefully) nicely laid out and commented original code, unless you have the original source files available.

  3. Randy Hudson

    “ Wasm has the potential to run much faster than JavaScript, as much as 20x faster”

    So it’s java?

    1. Venerable and Fragrant Wind of Change
      Thumb Up

      I was getting deja-vu at the browser sandbox. Yeah, looks like Java has come around again.

      But then, back in the Java era, I was getting deja-vu from the promises of ADA, as reflected in Java's oft-touted aspirations. These things are cyclical.

      1. John Brown (no body) Silver badge

        "These things are cyclical."

        Yeah, it's new generations growing up and re-inventing the wheel because they weren't around for the previous debacle.

        1. amanfromMars 1 Silver badge

          This Time Things are Different ...... For a Change*

          Yeah, it's new generations growing up and re-inventing the wheel because they weren't around for the previous debacle. .... John Brown (no body)

          How about ... it's new generations growing up and re-purposing the wheel because they weren't around for the previous debacle, John Brown (no body).

          That would suggest they be able to access and exercise Alternative Remote Command with Virtual Control Leverage.

          Have you any idea what that is worth in/to any market?

          * The Grand Irony and Almighty Opportunity for Pedestrian Status Quo Sources and Forces is that Any Failing to Engage and Enjoy and Employ New Generational Programming, and there ADA is a sterling star language for AI on Missions, Automatically Instantly Deny Themselves Privileged Access to New Fonts of IMPerfect Source Drivering Assets.

          :-) The spooky thing is ... Nowadays, machines such as produce and display the likes of the above, and they surely be the bringers and breakers of all news presently, are advising humanity what next to expect ...... rather than the reverse ....... and that is Real Freaky Stuff In Deed, Indeed . :-)

          And if you worry for your sanity, ....... well, give it a try or a bye for now, and see how you progress on the path chosen. And don't worry about missing such chances, for they'll all be available again tomorrow although then is one simply trailing in support some way behind the bigger pictures being created further up ahead in the Fields Following New Generational Programs.

          Is that latter condition/situation akin to Serfdom?

          1. Anonymous Coward
            Anonymous Coward

            Re: This Time Things are Different ...... For a Change*

            "... That would suggest they be able to access and exercise Alternative Remote Command with Virtual Control Leverage.."

            You're totally creating a grandeur behind WASM that isn't there (at least we hope!!). WASM has its place, but it's just a slower version of Java. We are in a age of market code, not functional code. Just get your "code" out there, become a paper millionaire and watch someone with much less wealth take a huge hit to their retirement plan.

            I'd go on, but I have to go and re-re-re-re-re-invent an IRC client to sell to a SaS support team.... long days on StackOverflow ahead as my CTRL, C and V keys are about shot.

            1. amanfromMars 1 Silver badge

              Re: Who Dares Care Share Win Wins and All That .....

              You're totally creating a grandeur behind WASM that isn't there (at least we hope!!). ..... overunder

              Oh? One shouldn't be so sure, overunder, whenever so much is always so unsure and able to be designedly and decidedly so totally disruptive and/or creative.

              I'd go on, but I have to go and re-re-re-re-re-invent an IRC client to sell to a SAS Support Team deeply embedded in an AWEsome Program.

              You are aware of such shenanigans, overunder? El Reg must have highlighted them at some time, surely?

          2. Anonymous Coward
            Anonymous Coward

            Re: This Time Things are Different ...... For a Change*

            "And if you worry for your sanity,"

            I'm worrying for yours. That post made almost no sense.

        2. bombastic bob Silver badge
          Mushroom

          those young whippersnappers... [get off my lawn]

          "new generations growing up and re-inventing the wheel because they weren't around for the previous debacle."

          Or, in the case of the invasive/pervasive 2D FLATTY McFLATFACE FLATSO FLUGLY interface "design", re-inventing the wheel "for the lulz" "because they CAN" (and TOTALLY b0rking it, out of arrogance NOT going back to what was OBVIOUSLY BETTER BEFORE) and THEN cramming it into EVERYONE ELSE's body orifice and calling it "modern".

          Because, after all, it's "their turn now". and everyone over the age of 'whatever' is OLD and STICK IN THE MUD and WRONG and WON'T LEARN and and and... [you get the idea]

          yeah having all competing choices (effectively) taken away is the MOST irritating part. Expect WebAssembly to do THAT, too.

          1. teknopaul Silver badge

            Re: those young whippersnappers... [get off my lawn]

            Can we have a rule about use of capitals? With perhaps a subclause about irrelevant brackets and quots.

            ;)

          2. Aussie Doc Bronze badge
            Boffin

            Re: those young whippersnappers... [get off my lawn]

            Dammit, Bob, I go cross-eyed trying to read your posts.

        3. Tom 38 Silver badge

          Yeah, it's new generations growing up and re-inventing the wheel because they weren't around for the previous debacle.

          Not to play devil's advocate, but the wheel has actually been re-invented many times, this is why they aren't still made of slices of a tree trunk. Not everything that is re-invented is done by ignorant Young Turks ignoring history, sometimes they learn from the problems and issues with previous solutions to develop better solutions.

          1. amanfromMars 1 Silver badge

            Now we’re cooking with gas

            Amen to that, Tom 38. And it is certainly bound to create all manner of new problems for both terrifying and petrified systems.

            Oh dear, what a shame ... not!

          2. JohnFen

            "sometimes they learn from the problems and issues with previous solutions to develop better solutions."

            Sometimes, yes. But it seems pretty rare.

    2. Anonymous Coward
      Anonymous Coward

      Like Java?

      Java on a modern CPU is technically faster than the original computers, but I don't think there are many people who consider "faster" to be synonymous with "java".

      1. bombastic bob Silver badge
        Meh

        Re: Like Java?

        amazingly Java still manages to be #1 or a very close #2 on the TIOBE index. But it _does_ run cross-platform. And on Android. But of course what Android apparently does is re-compile it into something native, rather than relying on running Java's pseudo-code. And, THAT causes significant startup delays every time something "upgrades". I HATE that. (let me start my slab up really quick so I can test this... OH @#$% the @#$% @#$% just @#$% had to UPDATE, and now I have to wait for @#$% @#$%^ @#$% to finish before it'll finish starting up, @#$%!!!)

        i can't imagine what would happen if you get a WebAssembly "thing" somewhere down the line, where it's forcibly 'optimized' (read: re-compiled for up to a minute or two) while your browser and/or the content on the page has to WAIT FOR IT because, "updates". Yeah, does not happen FOR NOW, because it runs that code with a virtualizer. but that's not FAST ENOUGH, and you know, it COULD become NATIVE CODE, and next step in the "evolution" puts us into the situation I JUST described, and and and (you get the idea). And we ALL know who devs LOVE to SHOVE THEIR UPGRADES into our body orficies, because ALWAYS BETTER even with FEATURE CREEP!

        1. Aussie Doc Bronze badge
          Joke

          Re: Like Java?

          "...OH @#$% the @#$% @#$% just @#$% had to UPDATE, and now I have to wait for @#$% @#$%^ @#$% to finish before it'll finish starting up, @#$%!!!)"

          Easy for you to say.

    3. bazza Silver badge

      I was trying to square that speed up claim with other people’s assertions that JavaScript is as fast, nay, faster than native C++. Based on experience of using web apps, I’d say that JavaScript is rubbish and slow.

      1. vtcodger Silver badge

        It depends?

        I’d say that JavaScript is rubbish and slow.

        A few JS entities -- Open Street Map, text editors used for comments on some web sites -- seem pretty decent. Others -- Amazon, anything from Google -- are utterly atrocious -- slow, buggy, -- a user experience reminiscent of running Windows 1.0 from floppies. I admit to being mildly curious about why. Not curious enough to start tearing code apart.

        But I submit that there is a possibility that Javascript per se might not be as bad as it seems

      2. Brewster's Angle Grinder Silver badge

        "Based on experience of using web apps, I’d say that JavaScript is rubbish and slow."

        Javascript can be very fast or very slow. The transition between the two can seem inconsequential at the source level and can vary between engine. And that's before you get to the giant anchor that is the DOM and devs who insist they're going to do it their way because they don't care about speed, and then pile on React, Jquery and yet gods knows what else, only to code using a functional paradigm. (I don't have a problem with functional programming - but javascript ain't optimised for it.)

        Back in the day you could find C++ apps that ran like overweight dachshunds and apps that ran like greyhounds. The dachshund-guys guys can write code that's even slower using javascript. But I used to be able to get core maths heavy stuff to run within a factor of 2 of native code. It doesn't seem to have got any slower - although increasing mobile phone screen sizes have put the old code under more strain.

    4. ThomH Silver badge

      It's Java, but with non-malicious competing implementations.

    5. Lee D Silver badge

      Java ran with full permissions to the user, and then had it's own "security" (in your Control Panel modules, etc. no less).

      WebAssembly is Javascript-compressed. It can't do anything that Javascript couldn't already do. And it runs inside the browser DOM, which literally doesn't have certain capabilities (if it did, Javascript would have had them too).

      1. JohnFen

        "It can't do anything that Javascript couldn't already do."

        True, but that's not reassuring.

    6. Luke McCarthy

      Like Java, but without garbage collection or object orientation. So, JVM for C code.

  4. James Ashton

    More secure than Java how?

    Please Mozilla, make this an opt-in feature per site. Last time I wanted to try a Java applet on an ancient site I had to fire up IE because Java is apparently so bad that Firefox absolutely refused to run it. What makes them think web assembly will be any safer? Remember how secure Java was touted as being in the beginning, but the applet vulnerabilities just kept rolling in until it was worse than Flash.

    1. _andrew
      Boffin

      Re: More secure than Java how?

      WASM is very like Java in many respects, but has a significant difference. That difference is very likely why it has taken it as long as it has to gain any kind of traction. The difference is that Java defined a fairly standard sort of standard library, with access to essentially all of the host operating system's resources. Java web applets nominally had a restricted set of APIs available, but they aren't all that restricted, and the big problem is that the libraries are huge, and implemented on top of (not-memory-safe) C and C++ code that turned out to be full of bugs that could be exploited. WASM has no standard libraries, and no object model. Indeed, it has no inherent access to _any_ APIs at all. It's just a blob of code that has access to a pre-allocated chunk of memory. All it can do is run its program when asked by the JavaScript attached to its host web page, which will have to extract the result from a chunk of raw shared memory set up for that purpose beforehand. So the only system access that WASM code has is through the host JavaScript.

      At first, host JavaScript just did the specific things that WASM wanted, and it was fairly gnarly. Now though, various groups have gone to the bother of writing fairly sophisticated libraries of interface routines, function-calling mechanisms with argument marshalling and so on, so that fairly normal sorts of developments can in fact be done. But the restrictions are still those of the browser JavaScript, which although not unblemished is not bad at security. Essentially, the sandboxing is significantly stronger this time around.

      1. MacroRodent Silver badge

        Re: More secure than Java how?

        If WASM is succesful, its interface will inevitably be extended to allow it to do more useful things. And then it is just a matter of time before Java-like security problems start appearing.

        Newsflash from 2030: Google has finally banned WASM from Chrome due to security concerns, after having had it opt-in (with scary warnings) for a year. Mozilla is expected to follow suit.

  5. YetAnotherJoeBlow Bronze badge

    wasm

    My browser is locked down as much as possible and run in sandbox locked down as much as possible - I still will not run scripts or binary blobs. If a site breaks, I go somewhere else. Usually, I do not give a flying f*** what the standards say. If it looks like shite and smells like shite... Want Another Shite Meal?

    1. Charles 9 Silver badge

      Re: wasm

      "If a site breaks, I go somewhere else."

      If the site that breaks is something with no alternative like a government website, meaning the only somewhere else you can go is away and not get anything like benefits and so on?

      "Want Another Shite Meal?"

      If there's nothing else, what's it gonna be? Shite or starve?

      1. Pascal Monett Silver badge

        Starve.

        It's only the Internet, you can live without it.

        1. JulieM

          They're working on that.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021