CPU Security Flaws MELTDOWN and SPECTRE

[Malo]

Is that statement was what people talks as whataboutism or moving a goalpost or false equivalence?

Yes pretty much. It was an absurdity just meant to highlight that you generally want more security, not less.

 

[pcchen]

Can't you limit or quota CPU usage for Javascript, thus making the timing attacks impossible? No normal website is going to need consecutive Minutes of 100% CPU load Javascript execution. Or only use the mitigation protections for the Javascript VM engine or go slightly larger and use the protections for the entire browser process.

It's a reasonable solution for desktop computers, but for mobile devices, slowing down Javascript could mean shorter battery life, and that's a problem for current mobile usage pattern (many apps also depends on Javascript engines).
Ideally this should no longer be a problem once newer MELTDOWN/SPECTRE-proof hardware are out. Of course, it's entirely possible that some newer side channel attacks will be discovered on those future devices.
Maybe eventually we'll have physically separated compartmentalization. As transistors getting even denser and power envelope becoming the major performance limiter, it might be cheap enough to have completely separate CPU cores designated for running different processes, thus reducing the possibilities of data leak through side channels.

 

[Rootax]

Didn't Chrome implanted a software mitigation for this ? Granted it does nothing for the virtualisation environment, but for the end user just browsing...

 

[swaaye]

https://www.ghacks.net/2019/02/07/firefoxs-project-fission-better-security-and-more-processes/
https://developers.google.com/web/updates/2018/02/meltdown-spectre

 

[Silent_Buddha]

Hell, while it isn't for most people, I just disable JavaScript on my general browser (which is in a VM) and only enable it on a per site per usage scenario limited to 15-30 minutes at a time after which JavaScript is disabled for that site again.

For my work browser that only goes to trusted sites, I still have JavaScript enabled, however. So there is a small chance that something could potentially slip through there.

Hence, while I'm tempted at times to disable some of these security patches, I don't ever seriously consider it. After having gone through Code Red back at the turn of the century, I don't want to have to go through anything remotely similar again. IE - I take security a lot more seriously now.

I really miss the ability from Internet Explorer of being able to set separate levels based on what security zone a site is in.

Regards,
SB

 

[orangpelupa]

I just glad windows still allows the mitigations to be disabled. The performance hit was too much for my tablet

Hopefully MS won't make it mandatory, ever

 

[Malo]

I just glad windows still allows the mitigations to be disabled. The performance hit was too much for my tablet

Hopefully MS won't make it mandatory, ever

Your tablet will be the catalyst for Skynet

 

[Silent_Buddha]

Your tablet will be the catalyst for Catnet

Fixed it for you. Self aware robotic cats incoming.

Ter-mew-nators?

Regards,
SB

 

[Gubbi]

For my work browser that only goes to trusted sites, I still have JavaScript enabled, however. So there is a small chance that something could potentially slip through there.

Any ad is a risk, and considering how modern JS apps are developed with thousands of external npm dependencies, - very few of which are vetted, there is a non-zero risk when using JS on trusted sites as well.

IMO, running without full mitigations is insane.

Cheers

 

[BRiT]

It's only insane if the server actively runs any web browser(s) against internet content. None of my servers do, so no need for those mitigations.