Hacker News new | past | comments | ask | show | jobs | submit login

Why obfuscating JS when there is WASM?



Business people demand it to protect intellectual property without realizing the ease of reversing it / wanting to say they're doing something to protect IP that their own superior will not realize doesn't help. It is making the best of an impossible situation, the paradox of sending your code to every single customer for them to run it while also wishing nobody could see it.

The more aggressive they make patent law the less useful it seems to become for protecting any actual investment, so here we are, clinging to wooden totems...


With how mediocre most developers today are, obfuscation is enough.


Can't tell if you mean they can't deobfuscate, or that their code isn't worth the effort of deobfuscating.


Probably both


Too mediocre to type "deobsfucate" into Google? The first result is a deobsfucator.

https://deobfuscate.io/


Too mediocre to read deobfuscated JavaScript, yes. Many such cases.


It's a supply demand thing.

If you publish your code on github, it's more likely to be compromised than if it's just in the webapp, very well obfuscated.

A sufficiently motivated actor will break it, and frankly break almost anything else, so it's a game of probabilities etc..

Obfuscation probably does make sense so long as it's not obviously getting in the way of dev. and, with the key understanding that 'it can be broken'.

Physical security at most companies can be thwarted with enough effort, it doesn't mean we don't do it.


You can use wasm disassembler (like https://github.com/JoseFMP/wasm-disassembler) as a starting point to understand what’s happening. It would be much harder if it was obfuscated on top of that.


Why WASM when you can create a full VM with its own custom bytecode implementation complete with nonsense instructions and compile to that.


An incredibly cool example of this is the newest iteration of the HIVE malware which does exactly that. They build a custom VM via RCE in a buggy image format parser which allowed them to execute custom code on an iOS device.


This is already what (a lot of) Lua obfuscators do for game cheats, since Lua has a reference implementation that generates bytecode, that can be easily modified to generate the most awful, encrypted, obfuscated mess ever.


This is how ReCaptcha is implemented, right?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: