Originally posted by hotaru
View Post
Announcement
Collapse
No announcement yet.
Google Engineers Argue For Linux "ASI" To Better Deal With Speculative Execution Attacks
Collapse
X
-
-
Originally posted by carewolf View Post
Before or after all the browsers added random noise to the JS accessible timers?
- Likes 2
Leave a comment:
-
Originally posted by lilunxm12 View Post
Or browser vendors could develop a deep refresh feature, restart the page in a new process and close the old one. Then we could use those existing tab refresher extensions.
If you are doing banking or performing some critical operations that uses Javascript, then refreshing would cause all these pages to be invalidated and potentially requires you to start from scratch to refill information.
Providing an API so that some plugins to do it might be OK, but still the performance of this is going to be terrible.
Leave a comment:
-
Originally posted by lilunxm12 View PostDoesn't speculative attack require very longtime to acctually extract enformation? Like a few bytes per second and needs quite a lot to decrypt anything meaningful?
If that's the case maybe periodically restart browser is all we need as desktop users running random js?
- Likes 1
Leave a comment:
-
Originally posted by NobodyXu View Post
Even temporarily closing the tabs of untrusted websites might work.
But seriously though, I don't think a lot of people can do that.
Leave a comment:
-
Originally posted by lilunxm12 View PostDoesn't speculative attack require very longtime to acctually extract enformation? Like a few bytes per second and needs quite a lot to decrypt anything meaningful?
If that's the case maybe periodically restart browser is all we need as desktop users running random js?
But seriously though, I don't think a lot of people can do that.
Leave a comment:
-
Doesn't speculative attack require very longtime to acctually extract enformation? Like a few bytes per second and needs quite a lot to decrypt anything meaningful?
If that's the case maybe periodically restart browser is all we need as desktop users running random js?
Leave a comment:
-
browsers had to impair js timers on purpose as a temporary measure to avoid js exploitation of spectre when it first came up... back then they intended to give js back the ability to use more precise timers, but since the vulnerabilities didn't stop popping up those degraded timers might still be in place...
...and then there is dev ingenuity, crafting ways to increase timer precision by joining several methods creatively, etc... so that was explicitly only a stopgap measure to buy OSs time to devise more proper mitigations
- Likes 1
Leave a comment:
Leave a comment: