WebAssembly gets nod from W3C and, most likely, an embrace from cryptojackers online
Standardization of wasm for the web offers a new take on the same old problems
The World Wide Web Consortium (W3C) on Thursday published three WebAssembly specifications as W3C Recommendations, officially endorsing a technology touted for the past few years as a way to accelerate web code, to open the web to more programming languages, and to make code created for the web more portable and safe.
“The arrival of WebAssembly expands the range of applications that can be achieved by simply using open web platform technologies," said Philippe Le Hégaret, W3C Project Lead, in a statement.
"In a world where machine learning and artificial intelligence become more and more common, it is important to enable high performance applications on the web, without compromising the safety of the users."
It's been a long time coming. The tech surfaced in 2015, showed up as a preview in web browsers in 2016, reached cross-browser design consensus in 2017, and recently got a push from Fastly, Intel, Mozilla, and Red Hat to move beyond the browser.
Just as one does not simply walk into Mordor, one does not generally write WebAssembly. Sure, one could write it by hand, and some masochists do for the educational challenge, but it's more common to write code in a language like C/C++ or Rust and compile that source code to a wasm file.
Security is another potential benefit since wasm modules operate in a sandbox that isolates them from the host runtime. But there's more to it than that.
Wasm may also turn out to be less susceptible to user interventions. At the moment – at least until Chrome's Manifest v3 transition limits the content blocking capabilities of browser extensions for the supposed sake of speed and security – browser users can run add-ons that filter and customize web content. Web applications that arrive as binary blobs will probably prove to be more resistant to meddling.
Four go wild for wasm: Corporate quartet come together to build safe WebAssembly sandboxREAD MORE
While some developers insist WebAssembly doesn't really change the viewability of web-oriented source code, most of those using WebAssembly at the moment appear to welcome greater inscrutability. A study published in June 2019 from researchers at Technische Universität Braunschweig (Braunschweig Institute of Technology) found "over 50 per cent of all sites using WebAssembly apply it for malicious deeds, such as [crypto] mining and obfuscation."
The researchers – Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck – say that while they only observed moderately sophisticated obfuscation in the wasm samples they viewed, they expect malicious code creators will get more creative, forcing security researchers to develop stronger WebAssembly evaluation mechanisms.
Our WebAssembly future brings with it a sense of déjà vu. ®
- AdBlock Plus
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Software License
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Web Browser
- Zero trust