Announcement

Collapse
No announcement yet.

W3C Prepares Guidance For Web Development In A Post-Spectre World

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • W3C Prepares Guidance For Web Development In A Post-Spectre World

    Phoronix: W3C Prepares Guidance For Web Development In A Post-Spectre World

    An editor's draft for post-Spectre web development guidance was made available by the W3C...

    https://www.phoronix.com/scan.php?pa...e-Web-Guidance

  • #2
    With or without spectre, this is my only assumption. Anything that runs in a specific address space, can potentially compromise the entire address space. If you are having sensitive data in the same address space with untrusted code, you are doing it wrong. And you were doing it wrong in the pre-spectre world as well.
    Also the web is full of filth. It could be the only area related to computers where every design decision they made was the worst possible.

    Comment


    • #3
      In a post-spectre world, I caution people against disabling mitigations on any machine they use for web browsing.

      A lot of people seem to miss the point about it being able to penetrate VMs, and mistakenly believe that if they're not running VMs that they have nothing to fear. But, it's quite the opposite. The point of it being able to penetrate VMs is like a murderous criminal enterprise getting armor-piercing weapons and you saying that because you don't drive an armored vehicle, you're not concerned about it as a threat for your safety.

      Comment


      • #4
        I am so happy that I have the NoScript web extension for Firefox. Maybe with the constantly increasing API surface of the web we need something like Project Gemini as an alternative to the HTML + HTTP with JavaScript based web.

        Comment


        • #5
          I'm curious if web assembly will make things better or worse?

          Comment


          • #6
            Originally posted by Volta View Post
            I'm curious if web assembly will make things better or worse?
            How would it make things better? As long as you're executing untrusted code on your machine, it's a potential liability. And being lower-level, I think would only increase is exploitability.

            Comment


            • #7
              Originally posted by Volta View Post
              I'm curious if web assembly will make things better or worse?
              since it can't do anything that JavaScript can't do, it can't make things any better or worse. all it can do is speed up some things that can already be done with JavaScript.

              Comment


              • #8
                Originally posted by coder View Post
                How would it make things better? As long as you're executing untrusted code on your machine, it's a potential liability. And being lower-level, I think would only increase is exploitability.
                It is not quite lower level, as wasm is sandboxed virtual machine sort of with own artificial bytecode. So spectre wise, there is same vector of attack - JIT-ed instructions, although wasm can be Jitted to bigger extend.

                Comment


                • #9
                  Originally posted by Volta View Post
                  I'm curious if web assembly will make things better or worse?
                  Originally posted by piotrj3 View Post
                  It is not quite lower level, as wasm is sandboxed virtual machine sort of with its own artificial bytecode. So spectre wise, there is same vector of attack - JIT-ed instructions, although wasm can be Jitted to bigger extend.
                  Indeed the main precaution that browser developers took for mitigating Spectre and affected WebAssembly was disabling SharedArrayBuffer.

                  People were afraid of attacks with high-resolution timers in javascript that could read data in a SharedArrayBuffer from another site like a Home Banking.

                  Comment


                  • #10
                    Originally posted by uid313 View Post
                    I am so happy that I have the NoScript web extension for Firefox. Maybe with the constantly increasing API surface of the web we need something like Project Gemini as an alternative to the HTML + HTTP with JavaScript based web.
                    Project Gemini looks more like a renewed Gopher than a multi-role platform like Web with HTML/Javascript and extensions.

                    Web probably will evolve with functionality more diverse and powerful like Java Applets or Flash was some time ago (WASM new browser capabilities indicates this) than simple, well defined, and organized protocols like Gopher and Gemini.
                    Last edited by juarezr; 11 March 2021, 11:18 AM.

                    Comment

                    Working...
                    X