I am very curious how effective obfuscation would be in a WASM binary, for example could it be possible to create a client side Auth system (yeah I know it's triggering), but can you realistically decompile, have you done it, I guess I'm saying is WASM a place to hide?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (8)
Both awesome Ben's I agree with you both. It's just I had this idea yesterday, because of what I do, working with IAM and also UI, I wondered if the next identity access management software could run at the (trendy word alert) 'edge' client but I think we all know that's a terrifying idea 💡, but I do want to know, is it possible to securely do this. I was thinking about WASM as a sort of container I guess.
Just use cloudflare worker you have 100K requests free per month and it enables you to process data within JavaScript code... I used it to bypass the need to hide a key into the DeepAI.org services within pixa.pics/ and it's... FINE!
What the heck is this it sounds like it's worth a read about 😁
Yeah the author may want to hide API keys in the client side, but that is technically not recommended, instead and I mislead the numbers, you can bypass CORS+ HIDE API KEYS in workers on CLOUDFLARES&CO with 100K request a day
Sounds a lot like a AWS lambda function?
Effectively
I'd say don't use obfuscation for anything.
Anything obfuscated can be de-obfuscated, so it's not providing any security, but it is making the web - which is supposed to be open and readable - into a worse place.
Given a WASM blob, you can produce a human-readable WAT file with wabt. It certainly adds a step for any malicious actor looking for secrets, but I agree with other-Ben - this doesn't really add meaningful security to sensitive information over other obfuscation techniques, and while it touches on a philosophical point rather than technical, I'm also a fan of "open web" as an ideal. If you need to hide something, don't send it to the client.