From: Kernel User <linux-kernel@riseup.net>
To: linux-kernel@vger.kernel.org
Subject: CPU vulnerabilities and web JavaScript
Date: Sun, 8 Dec 2019 21:49:58 +0200 [thread overview]
Message-ID: <20191208214958.492988dd@localhost> (raw)
Hello kernel developers!
I have been looking for information but I couldn't find the answers I
need, so thought it might be best to ask the experts first hand.
As soon as Spectre and Meltdown were announced in early 2018 I got
paranoid. I am not a programmer per se but my understanding is that the
main security mechanism in computers (isolation) is not reliable any
more and there is no fix for it - only mitigations which are not
available for all vulnerabilities and for all CPUs.
So I instantly blocked all web JavaScript in browsers. I don't want
anything creepy reading the contents of my RAM, my passwords, keys or
anything else in a way which it is not supposed to. However without JS
web (and life) is difficult and for some sites (e.g. online payments) I
must use JS.
So what I do:
To minimize the chance of any JS reading anything important from the
contents of my RAM I "simulate single tasking":
1. Close all open programs
2. Clean clipboard contents
3. Lock any open keyrings
4. Enable JS for the particular website only (one window, one tab,
incognito mode, all history/cache cleared beforehand)
5. Do what I need on the site as quickly as possible.
6. Close the browser
Of course there are the processes running in background. I am also
aware that closing a program doesn't necessarily mean it wipes the
memory it has used but simply makes it available for other apps (i.e.
memory contents may still be vulnerable). I also have no idea whether
the login credentials (of the current system user I am logged in as)
are somewhere in a vulnerable RAM zone. IOW I realize my approach is
incomplete.
So my questions to the experts here are:
(1) Is what I do reasonable, meaningful and does it actually provide
any additional security? (assume a CPU with, or without mitigations)
(2) As experts knowing the intricacies of all that, what is your
approach and recommendations regarding usage of web JavaScript?
*NOTE: I am aware that web-JS, even without vulnerabilities, has
additional privacy implications but I am asking only in relation to CPU
vulnerabilities.
Sorry for the long message.
I really hope you could shed some light on the subject!
next reply other threads:[~2019-12-08 19:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-08 19:49 Kernel User [this message]
2019-12-09 8:44 ` CPU vulnerabilities and web JavaScript Kernel User
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191208214958.492988dd@localhost \
--to=linux-kernel@riseup.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox