DEV Community

Adam Crockett πŸŒ€
Adam Crockett πŸŒ€

Posted on

Obfuscate client side with WASM

I am very curious how effective obfuscation would be in a WASM binary, for example could it be possible to create a client side Auth system (yeah I know it's triggering), but can you realistically decompile, have you done it, I guess I'm saying is WASM a place to hide?

Top comments (8)

Collapse
 
adam_cyclones profile image
Adam Crockett πŸŒ€

Both awesome Ben's I agree with you both. It's just I had this idea yesterday, because of what I do, working with IAM and also UI, I wondered if the next identity access management software could run at the (trendy word alert) 'edge' client but I think we all know that's a terrifying idea πŸ’‘, but I do want to know, is it possible to securely do this. I was thinking about WASM as a sort of container I guess.

Collapse
 
vipert profile image
ViperT

Just use cloudflare worker you have 100K requests free per month and it enables you to process data within JavaScript code... I used it to bypass the need to hide a key into the DeepAI.org services within pixa.pics/ and it's... FINE!

Collapse
 
adam_cyclones profile image
Adam Crockett πŸŒ€

What the heck is this it sounds like it's worth a read about 😁

Collapse
 
vipert profile image
ViperT • Edited

Yeah the author may want to hide API keys in the client side, but that is technically not recommended, instead and I mislead the numbers, you can bypass CORS+ HIDE API KEYS in workers on CLOUDFLARES&CO with 100K request a day

Thread Thread
 
adam_cyclones profile image
Adam Crockett πŸŒ€

Sounds a lot like a AWS lambda function?

Thread Thread
 
vipert profile image
ViperT

Effectively

Collapse
 
moopet profile image
Ben Sinclair

I'd say don't use obfuscation for anything.
Anything obfuscated can be de-obfuscated, so it's not providing any security, but it is making the web - which is supposed to be open and readable - into a worse place.

Collapse
 
deciduously profile image
Ben Lovy

Given a WASM blob, you can produce a human-readable WAT file with wabt. It certainly adds a step for any malicious actor looking for secrets, but I agree with other-Ben - this doesn't really add meaningful security to sensitive information over other obfuscation techniques, and while it touches on a philosophical point rather than technical, I'm also a fan of "open web" as an ideal. If you need to hide something, don't send it to the client.