search

Alex313031 / quark-player

An Electron based Web Video Services Player, supporting Netflix, Youtube, Twitch, Floatplane, Hulu and More!
https://thorium.rocks/quark-player/
MIT License
95 stars 8 forks source link

Disable WebAssembly and Webgl to avoid security or privacy threats #23

Closed trimechee closed 1 year ago

trimechee commented 1 year ago

Hello, I use Quark player to watch the videos, so I don't need WebAssembly and Webgl which can pose a threat to security or privacy or slow down browsing and consume battery power and webassembly can be used for crypto mining jacking ....... and I even disable WebAssembly and Webgl on classic web browsers because I don't install web apps and I don"t use 3D so my browsing is more fluid and faster..... that will be great to add an option to disable WebAssembly and Webgl , thank you very much !

https://github.com/stevespringett/disable-webassembly

"Based on the above facts, here are some potential threats in using browsers that support WebAssembly:

 Static code analysis becomes increasingly difficult as source code may not be available
 Sandboxing is prone to breakouts and effectiveness varies largely by implementation. Adobe Flash is an example of a technology that was sandboxed after a series of exploits, yet exploits and breakouts still occurred.
 Transmitting a binary executable format over an insecure channel is susceptible to man-in-the-middle attack.
 Code signing, the process of verifying software has not been tampered with, is not currently possible with WASM. WASM is selling itself as the ability to run desktop-like applications in the browser, yet the operating systems it supports all have code signing requirements for installed software. Allowing random drive-by software to execute unsigned seems to be a 'feature' of WebAssembly.
 WebAssembly assumes that 'safe applications' can be derived from language subsets and a few rules to prevent specific type of behavior. This is similar to blacklisting in the security world, a technique that rarely works. The specification omits the possibility of misuse cases from their security dialog. Exploits can occur in 'safe applications' simply by using the application in a way it wasn't designed to run. Since static code analysis is not currently possible, automatically identifying potential performance, insider-threats, security, and misuse cases is not possible.

The WebAssembly specification does not address any of the above threats. Therefore, I have disabled WASM on my personal browsers and have discounted use of browsers that do not allow WASM to be disabled. To be fair, many of the threats above also apply to Javascript, which can be statically analyzed or outright disabled."

Alex313031 commented 1 year ago

@trimechee I can't disable these, because many of the streaming sites (and websites in general) use webassembly and webgl for working correctly. WebGL does not have any privacy or security threats above the baseline.

While webassembly can be used maliciously, it is used on most streaming sites.

trimechee commented 1 year ago

Ahh, i understand, thank you !

just to to specify that I disabled webassembly and webgl on the browser I use to watch streaming sites and even to check my gmail and surf on twitter and facebook and I didn't notice anything weird, everything works perfectly.....webgl seems to have privacy issue:

https://browserleaks.com/webgl

WebGL is a JavaScript API used to render 3D graphics within a web browser by utilizing the device's GPU. This makes it possible for websites to gather detailed information about a user's graphics card, which can be used to create a unique browser fingerprint.