1. 57
    1. 32

      How many of the websites using JS use it for malicious purposes, I wonder?

      1. 17

        Essentially all of them, arguably. Most also use it for harmless/positive purposes.

    2. 17

      I’m waiting for the day someone ports a layout engine to wasm and renders to canvas. So much for content blocking.

      1. 4

        Like QT or others? https://doc.qt.io/qt-5/wasm.html

        I remember a fork of SproutCore that would ditch all that HTML stuff and just render directly to canvas.

      2. 3

        Not to WASM, but…

        Atlantis: Robust, Extensible Execution Environments for Web Applications

        Today’s web applications run inside a complex browser environment that is buggy, ill-specified, and implemented in different ways by different browsers. Thus, web applications that desire robustness must use a variety of conditional code paths and ugly hacks to deal with the vagaries of their runtime. Our new exokernel browser, called Atlantis, solves this problem by providing pages with an extensible execution environment. Atlantis defines a narrow API for basic services like collecting user input, exchanging network data, and rendering images. By composing these primitives, web pages can define custom, high-level execution environments. Thus, an application which does not want a dependence on Atlantis’ predefined web stack can selectively redefine components of that stack, or define markup formats and scripting languages that look nothing like the current browser runtime. Unlike prior microkernel browsers like OP, and unlike compile-to-JavaScript frameworks like GWT, Atlantis is the first browsing system to truly minimize a web page’s dependence on black box browser code. This makes it much easier to develop robust, secure web applications.

        1. 2

          I collect stuff like OP architecture. Missed this. Thanks for the link!

      3. 1

        We have TeX in WASM already. ;)


      4. 1
    3. 17

      That’s why I think browsers shouldn’t have Turing complete languages.

      1. 9

        It’s really useful to have a way to trivially distribute rich applications over a network and have them run in a sandboxed environment. Unfortunately, the browser is what has evolved into that. Not gonna change unless someone invents something better.

      2. 5

        This. A million times this. But Pandora’s box has been opened and there’s no turning back, I’m afraid.

        1. 2

          There’s still uMatrix you can use it to disable scripts by default and enable them only on selected websites.

          1. 4

            I use it, but many sites don’t work without enabling lots of external scripts, as I’m sure you’re aware.

    4. 6

      Original paper here. Unfortunately it appears that the naysayers may have had a point.

      1. 16

        Eh, all the paper really says is that wasm enables mining and it’s being used for that. Which isn’t surprising.

        The numbers are quite small and presumably the browsers will fight mining scripts.

        If you were to do an analysis of JS scripts used, you would also find a bunch of malicious stuff.

        I contend that the prevalence of malicious code is more to do with societal/structural issues than technical issues.

        1. 2

          presumably the browsers will fight mining scripts

          Should they? I mean in the form of a compromised site serving a scripting for mining for a malicious party, obviously it’s bad. But I’ve always like the idea of exchanging computing resources for content rather than ads. I don’t know if the economics could work out long term (I kind of suspect not) but especially on a desktop machine I’d much rather lend some fraction of my CPU or GPU to a content provider to yield value for them directly rather than do basically the same thing to look at some obnoxious advertisement that’s eating up resources anyway and lining the pockets of an ad broker which isn’t really adding value.

          1. 7

            I think browsers will prevent pages from consuming excessive compute resources without users’ opting in. This is already done to some extent in Firefox.

            If the premise was exactly “ad server js compute” or equivalent “mining compute”, then I’m not sure what I’d prefer. All cryptocurrencies I know of are terrible for the environment and I don’t want to be doing any work for that. I’d much rather just pay for things I like. That offers a much better watts per dollar proposition (and browsers and payment providers could support this better).

    5. 6

      I’d like to see the same study done for websites that use JavaScript.

    6. 4

      Luckily the main CPU-mineable cryptocurrency, Monero, has switched to a new proof-of-work algorithm that requires a JIT and lots of memory to run fast, so web mining is mostly dead now.

      1. 4

        Web-mining for Monero might be dead you mean. Mining will continue to happen for existing and new cryptocurrencies so long as mining on others’ computers might make money.

        1. 2

          I think that any hashcash PoW that runs well in WebAssembly (in its current state) is susceptible to being run on FPGAs and ASICs that will quickly make CPU mining obsolete.

          1. 3

            What you’re missing is the primary motivation to run it in JS or WA: it’s on other peoples’ machines and electric bill that. Unlike FPGA’s and ASIC’s, they make money without paying for hardware.

    7. 5

      Is a lightweight wasm miner on a website really any worse than surveillance capitalism advertisements and supercookies? If websites had an opt-in, turn off all trackers for the same amount of CPU resources used on a wasm miner, I’d use it every time.

      1. 9

        Yes, but I feel this is missing the woods for a particular tree, as you can’t really block arbitrary wasm components.

        1. 3

          can you block arbitrary javascript components?

          1. 7

            You can block JS, and block loading certain scripts. You can block and remove elements that make tracking easier like pixels and canvases and iframes and more. Just look at browser extensions like uMatrix or NoScript.

      2. 2

        One of the reasons I turn JS off is to reduce wear and tear on my machines. I had my last laptop for 8 years. It ran quickly on about everything except some web applications. I’m not sure if lots of crypto mining will burn out my current CPU more quickly. I’d rather it not happen in the background just in case.

        Also, some principle about how, if they’re making money with my hardware, then I should get a cut of it or I block it. Something like that.

      3. 1

        surveillance capitalism advertisements

        surveillance what now?

        1. 5

          Cynical answer: Venture-capital funded Stasi.

          More descriptive: Selling and hoarding of people’s private lives for the purposes of making money off of it, for example, advertising.