How is this at all different than now?

msandford · on Jan 11, 2016

Right now most javascript is readable-ish and if you see something totally unreadable, that's a good indication it's probably malware.

Once you have machine code that's not terribly human readable it gets a lot easier to hide things.

untog · on Jan 11, 2016

if you see something totally unreadable, that's a good indication it's probably malware.

That's definitely not true. Minified JS is everywhere.

moron4hire · on Jan 11, 2016

I take it you don't know what a minifier is or how it can save upwards of 50% of your payload size.

msandford · on Jan 11, 2016

I absolutely do, but thanks for being condescending nonetheless.

Read C source. Then go read the machine code that C compiles into. I assure you that the C is far, far more readable even if you've HEAVILY obfuscated it.

In order to better understand this, I present you with a StackOverflow answer: http://stackoverflow.com/a/331474

This:

int get_int(int c);

int main(void) {

    int a = 1, b = 2;

    return getCode(a) + b;

}

Might yield this:

00000000 <main>:

int get_int(int c);

int main(void) { /* here, the prologue creates the frame for main /

   0:   8d 4c 24 04             lea    0x4(%esp),%ecx

   4:   83 e4 f0                and    $0xfffffff0,%esp

   7:   ff 71 fc                pushl  -0x4(%ecx)

   a:   55                      push   %ebp

   b:   89 e5                   mov    %esp,%ebp

   d:   51                      push   %ecx

   e:   83 ec 14                sub    $0x14,%esp

    int a = 1, b = 2; /* setting up space for locals */

  11:   c7 45 f4 01 00 00 00    movl   $0x1,-0xc(%ebp)

  18:   c7 45 f8 02 00 00 00    movl   $0x2,-0x8(%ebp)

    return getCode(a) + b;

  1f:   8b 45 f4                mov    -0xc(%ebp),%eax

  22:   89 04 24                mov    %eax,(%esp)

  25:   e8 fc ff ff ff          call   26 <main+0x26>

  2a:   03 45 f8                add    -0x8(%ebp),%eax

} / the epilogue runs, returning to the previous frame */ 2d: 83 c4 14 add $0x14,%esp

  30:   59                      pop    %ecx

  31:   5d                      pop    %ebp

  32:   8d 61 fc                lea    -0x4(%ecx),%esp

  35:   c3                      ret

I don't know why people find this notion that web assembly probably will make it easier to hide nefarious payloads so offensive. It's demonstrably true! People find out about open source projects "calling home" much, much faster than they do closed source projects.

Go look at the spec. It's at a much lower level of abstraction than JavaScript is. https://github.com/WebAssembly/design/blob/master/AstSemanti...

Semiapies · on Jan 11, 2016

There's no real size difference if you gzip it at the webserver.

moron4hire · on Jan 11, 2016

That is incorrect. Theoretically, it should be true, but in practice it is not. You get the most savings by minifying and gzipping.

Semiapies · on Jan 12, 2016

In practice, the difference has been negligible, and I've seen it be entirely absent. Chasing small fractions of a percent of total CSS file size is a waste of time and effort.

wtetzner · on Jan 11, 2016

This is already true for plenty of "compile-to-javascript" languages. The textual format of wasm should be as easy to read as the output of those languages, if not easier.