
Half of the websites using WebAssembly use it for malicious purposes - victorbojica
https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/
======
jdashg
This is not fundamentally different than the previous generation of JS miners.
The root cause is "people who's websites serve miners", not WASM per se.

~~~
pjmlp
With the difference that you can turn off JavaScript.

~~~
yoklov
Can you not disable wasm? That seems like an oversight that should be fixed if
so.

------
_bxg1
It's depressing that the web has become such a race-to-the-bottom, but here we
are. Maybe we need a WASM permission opt-in like what we have for
notifications, geolocation, etc.? It'll be hard to communicate what it means
to regular users, but I don't see another solution.

~~~
jkoudys
Full opt-in for wasm will become as impractical as disabling JS. What we'll
need are better resource-level controls, so you could at least be prompted
earlier if a site's using high CPU for prolonged periods. Could even help get
devs to take site perf more seriously and stop draining the batteries of every
visitor on an unplugged laptop or phone.

~~~
_bxg1
> will become as impractical as disabling JS

No, because that's not the same thing:

1) JS opt-in is an advanced setting, not a prompt dialog that appears when a
page tries to run it and gets remembered on a site-by-site basis.

2) Until (unless) WASM gets full reign of web APIs, which is a long way off,
it will continue to have very sparse legitimate use-cases. Are you trying to
play a game, use Photoshop-the-web-app, or use an encrypted messaging service?
Click "Yes". Otherwise, it's probably safe to say you don't want whatever-it-
is running. It's rare that the average user would want to disable JS on a
given site. It's much more likely that they'd want to disable WASM (just like
it's much more likely that they'd want to disable geolocation, or push
notifications).

------
JackRabbitSlim
What wide and varied legitimate use cases did we honestly expect to see? What
wide and varied legitimate uses to we see for JS now?

~~~
krapp
>What wide and varied legitimate use cases did we honestly expect to see?

It's just a bytecode spec, it wasn't created by the mafia or anything. Many
people have already used it for porting software to the web, and for math-
intensive operations. You can see plenty of such projects by searching HN.

>What wide and varied legitimate uses to we see for JS now?

Are you implying that most JS is currently used for malicious purposes?

I would guess the vast majority of JS is currently used to render content in
the browser as part of a frontend framework, or JQuery, which is probably
still widely in use in legacy sites. Also for Google Analytics, which I
suppose some people might consider malicious. But then half of HN considers
javascript illegitimate and malicious by default anyway.

~~~
mooman219
>Are you implying that most JS is currently used for malicious purposes?

I classify most ads as malicious, so yes.

------
pmontra
I guess the uMatrix and NoScript will add an option to block/unblock
WebAssembly.

~~~
rasz

        WebAssembly = undefined;

is all you need.

------
downerending
That didn't take long. Anyone know how to disable it in the major browsers?

~~~
capableweb
Disabling JS should disable WebAssembly. Otherwise there is also
`javascript.options.wasm` in Firefox.

~~~
floatingatoll
Emscripten can target non-WASM JavaScript just fine, and the malicious use
cases are just as happy to burn your power at any efficiency. Disabling WASM
is a knee-jerk reaction and will not protect you. (Disabling all scripting
will, as long as no site you whitelist or addon you install gets hacked.)

------
baybal2
WASM is the new ActiveX. People were warned

