All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kernel User <linux-kernel@riseup.net>
To: linux-kernel@vger.kernel.org
Subject: CPU vulnerabilities and web JavaScript
Date: Sun, 8 Dec 2019 21:49:58 +0200	[thread overview]
Message-ID: <20191208214958.492988dd@localhost> (raw)

Hello kernel developers!

I have been looking for information but I couldn't find the answers I
need, so thought it might be best to ask the experts first hand.

As soon as Spectre and Meltdown were announced in early 2018 I got
paranoid. I am not a programmer per se but my understanding is that the
main security mechanism in computers (isolation) is not reliable any
more and there is no fix for it - only mitigations which are not
available for all vulnerabilities and for all CPUs.

So I instantly blocked all web JavaScript in browsers. I don't want
anything creepy reading the contents of my RAM, my passwords, keys or
anything else in a way which it is not supposed to. However without JS
web (and life) is difficult and for some sites (e.g. online payments) I
must use JS.

So what I do:

To minimize the chance of any JS reading anything important from the
contents of my RAM I "simulate single tasking":

1. Close all open programs

2. Clean clipboard contents

3. Lock any open keyrings

4. Enable JS for the particular website only (one window, one tab,
incognito mode, all history/cache cleared beforehand)

5. Do what I need on the site as quickly as possible.

6. Close the browser

Of course there are the processes running in background. I am also
aware that closing a program doesn't necessarily mean it wipes the
memory it has used but simply makes it available for other apps (i.e.
memory contents may still be vulnerable). I also have no idea whether
the login credentials (of the current system user I am logged in as)
are somewhere in a vulnerable RAM zone. IOW I realize my approach is
incomplete.

So my questions to the experts here are:

(1) Is what I do reasonable, meaningful and does it actually provide
any additional security? (assume a CPU with, or without mitigations)

(2) As experts knowing the intricacies of all that, what is your
approach and recommendations regarding usage of web JavaScript?

*NOTE: I am aware that web-JS, even without vulnerabilities, has
additional privacy implications but I am asking only in relation to CPU
vulnerabilities.

Sorry for the long message.
I really hope you could shed some light on the subject!

             reply	other threads:[~2019-12-08 19:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-08 19:49 Kernel User [this message]
2019-12-09  8:44 ` CPU vulnerabilities and web JavaScript Kernel User

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191208214958.492988dd@localhost \
    --to=linux-kernel@riseup.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.