this post was submitted on 21 Jul 2023
927 points (100.0% liked)

Technology

37717 readers
418 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

The much maligned "Trusted Computing" idea requires that the party you are supposed to trust deserves to be trusted, and Google is DEFINITELY NOT worthy of being trusted, this is a naked power grab to destroy the open web for Google's ad profits no matter the consequences, this would put heavy surveillance in Google's hands, this would eliminate ad-blocking, this would break any and all accessibility features, this would obliterate any competing platform, this is very much opposed to what the web is.

you are viewing a single comment's thread
view the rest of the comments
[–] jarfil@beehaw.org 23 points 1 year ago* (last edited 1 year ago) (2 children)

This is part of a broader plan:

  1. Get hardware attestation, aka secure boot (DONE)
  2. Get software attestation, via app stores (DONE)
  3. Get web app attestation (this proposal)
  4. Compile all web apps to webassembly (upcoming)
  5. Create a provider-controlled environment on user-supplied devices (partially there)

Only basic extensions and ad blockers will work with compiled apps (Manifest V3 is part of that plan). Accessibility features will be as good as those of Flash.

What most are not liking, is the change in power dynamic on the WWW:

  • Before: "you give me some data and I'll decide what to do with it"

  • Upcoming: "we'll give you some data and you will do exactly as we tell you with it"

The time might be coming to create a "libre WWW", parallel to the "corporate WWW".

[–] Zeth0s@reddthat.com 9 points 1 year ago

Even more "we'll decide if you are worthy to get my data"

[–] ilmagico@beehaw.org 3 points 1 year ago (1 children)

I'm mostly in agreement but ... what's wrong with webassembly? that's just another way to compile webapps into, or parts of webapps, other than javascript. What am I missing?

[–] jarfil@beehaw.org 7 points 1 year ago (1 children)

"Compiled" is the key: a non-reversible operation that implies loss of syntactical and grammatical content. Meaning, it's harder to analyze, reason about, or modify. As the "assembly" part indicates, it's intended to be as hard to analyze, reason about, or modify, as possible.

First there was Java, then there was Flash, now there is Webassembly... all compiled to bytecode, all running in their VM, all intent on converting all apps everywhere, and to lock "proprietary" elements away from the prying eyes and hands of content blockers, analyzers, or even worse: control by end users.

Webassembly and attestation just go hand in hand to create a remote-controlled enclave on a user-owned device that will make it as hard as possible for the user to control.

Some may see it as an inherent exploitation of the user's resources (already used for cryptominer exploits), others as an attack vector that will be difficult to mitigate by design, others as an unnecessary duplication of the JVM.

[–] ilmagico@beehaw.org 4 points 1 year ago (1 children)

Look, I hate this proposal from Google as much as anyone else here, but let's stick to the facts.

As the "assembly" part indicates, it's intended to be as hard to analyze

The "assembly" is just a reference to machine instructions, a.k.a "assembly language".

Minified javascript, on the other hand, is made with the express purpose of obfuscation and as well, minimize load times, but mainly obfuscation in practice.

That's to say, you don't need webassembly to make it hard to reverse engineer. At least webassembly is a standard.

First there was Java, then there was Flash, now there is Webassembly

First, there were machine instruction, then people invented handy mnemonics for those and called "assembly language". Then there was C, then C++ (let's skip the basic, pascal, etc) and those weren't meant to be hard to analyze, they were and still are meant to be close to the machine, to be fast. Webassembly has similar goals. They can be relatively easily decompiled, just as much as webassembly I'm sure, unless they are purposefully obfuscated.

Just like native machine code and javascript, it can be decompiled/reverse engineered, and also obfuscated, but that's not its goal, not as stated nor in practice.

[–] jarfil@beehaw.org 6 points 1 year ago* (last edited 1 year ago)

You went a bit too far back, I was talking about compiled languages intended for the web.

There is nothing easy sbout decompiling native code, even before we start with jumps into the middle of instructions and polymorphic code. Reverse engineering obfuscated JavaScript is orders of magnitude easier than that, and most minified JavaScript isn't even obfuscated.

The only saving grace for Webassembly is that it requires keeping stuff in blocks, with if, then, else, etc. reasonably delimited, and (I think) it doesn't allow too many shenanigans with indirect calls. But stuff like br_table, doesn't make me particularly eager to tackle decoding what someone meant.