Should Basilisk Disable WebAssembly By Default

[Basilisk-Dev]

I've been doing a lot of research lately into WebAssembly, specifically in regards to its use as a potential attack vector.

I've found a significant number of sites, both general news sites and cybersecurity sites, which say that WebAssembly is commonly abused for malicious purposes. Several of these news sources reported that over 50% of all sites using WebAssembly use it for a malicious purpose.

Personally I am in support of disabling it, but I don't want to disable it without asking people here first. While I think that browsers should cater to the least common denominator (non-technical users), at the same time I'd say it's safe to assume that most users of Pale Moon and Basilisk probably do not fall into this category. One thing I would do to cater to those non-technical users is add a toggle in the browser settings to enable/disable WebAssembly so users don't have to go to about:config to toggle it.

What are your thoughts? Should I set Basilisk to disable it by default?

Below are some links discussing the security implications of leaving WebAssembly enabled:
* https://www.crowdstrike.com/blog/ecrimi ... e-malware/
* https://www.zdnet.com/article/half-of-t ... -purposes/
* https://thehackernews.com/2022/07/hacke ... embly.html
* https://iamroot.blog/2020/06/29/webasse ... ystem.html
* https://it.slashdot.org/story/20/01/08/ ... s-purposes

[suzyne]

I found this comment on SlashDot interesting. If it is an accurate assessment of the security risk, it makes me wonder what all the fuss is about in the other articles?

Web Assembly is as exactly as malicious as Javascript on the same website. It runs with the same privilege and it is capable of the same things. The only difference is WASM is slightly faster (since it is precompiled and closer to machine instructions), and slightly harder to disassemble. That's it.

If people find themselves victim of malicious content, then maybe they shouldn't be visiting the websites that was hosting it. Chances are they've always been victim of malicious content on those sites and just didn't know it.

[Moonchild]

It's only as much of a security risk as any black-box code is you allow to run (including obfuscated JS). It's just abused more readily because it's fairly easy to use transpilers to transpile other languages to WASM - but effectively it's just pseudocode with a feature set akin to asm.js (a limited subset of JS).

The Slashdot comment is right on the money.

PS: quite a few captchas/botchecks will attempt to toss in WASM as one check to see if it's a full-fledged browser or some limited bot client/script that won't be able to handle it -- disabling WASM might cause a lot of impact for the user in that scenario, getting blocked by WASM checks failing.

[moonbat]

I would say don't ever go down the path of mollycoddling users to protect them from themselves. If WASM is used as a gatekeeping function as Moonchild says, it will create more problems than fix it. Users need to be responsible for the sites they visit. You are doing everyone a great favor by building this browser for them in your spare time as it is, it isn't a well funded corporate product (neither is PM), not that those bother to listen to user feedback.

A well configured adblocker is a pre-requisite on the modern web and will suffice to block malicious sites ( combined with sane surfing habits). As you said, users of UXP browsers tend to be somewhat more experienced than the masses and can make an informed decision on their own over toggling the feature.

By all means add an option in the UI to make it easier to use; but understanding what it does is the user's job before meddling with it.

[frostknight]

Having an option to disable WebAssembly does sound like its sufficient, if its a risk.

[Blacklab]

Another link... MDN's 'WebAssembly' documentation dated 31May23: https://developer.mozilla.org/en-US/docs/WebAssembly

[Moonchild]

MDN's 'WebAssembly' documentation dated 31May23

Forewarning: this has an introduction/summary written that reads like a marketing push post. Read with a grain of salt.
The "near native" speed touted is the same as any JIT compiled javascript and is not new to WASM. The same speed can be achieved with asm.js; only the loading will be slightly faster as it's bytecode.

[Basilisk-Dev]

It sounds like there is overwhelming consensus that Basilisk should not disable WebAssembly by default. We will not be disabling WebAssembly by default for the forseeable future unless there is some drastic reason to do so. Thanks to everyone who voted and participated in the discussion.