Ask Slashdot: Does WebAssembly Increase Your Web Browser's Attack Surface?

Steve Springett is a conscientious senior security architect. And in 2018, he published an essay on GitHub arguing that from a security engineer's perspective, WebAssembly "increases the attack surface of any browser that supports it." Springett wrote that WebAssembly modules are sent in (unsigned) binary format - without a transport-layer security mechanism - and rely on browser sandboxing for safety. But the binary format makes it harder to analyze the code, while sandboxing "is prone to breakouts and effectiveness varies largely by implementation. Adobe Flash is an example of a technology that was sandboxed after a series of exploits, yet exploits and breakouts still occurred." Springett even went so far as to offer the commands for switching off WebAssembly in your browser. Now Tablizer (Slashdot reader #95,088) wants to know what other Slashdot readers think of Spingett's security concrens around WebAssembly. And also offers this suggestion to browser makers:Browsers should have a way to easily disable WebAssembly - including whitelisting. For example, if you need it for specific gaming site, you can whitelist just that site and not have WASM exposed for other sites.

Read more of this story at Slashdot.