From my point of view the system seems as responsive as ever.

Thank you for dissmissing one of the most advanced attack ever made, being ported to one of the most secure browser using seccomp() and heavy sandboxing simply because it hasn't been ported to other browsers.

The papers are there. The code is there. The memory leak is there. What more do you want? For it to work on the moon rover?

Point out the flaws in the logic of leaky.page instead of "calling it bullshit" without any proof backing you.

Something else will turn up to get worried about, I wouldn't be an Exchange admin for all the tea (or data ) in China right now.

Well, guess I now have to go out and buy all brand new CPU's and motherboards due to all these exploits and software further slowing my one year old computer!

Are people still buying defective Intel CPUs?

Intel and Apple.

Define trusted code. Today 99.999% of people are viewing sites running 3rd party code from publishers they aren't even aware exist. The so-called trust indicator in their location bar only tells them that sites have valid certificates, not that the sites are in any way shape or form trustworthy. The vast majority of site adminstrators have no formal security training, and even those who do are mostly clueless re Spectre. Even those who understand Spectre are mostly under the false impression that Google's process-per-tab "security" will protect them and/or their users. This is utterly false. Chrome doesn't actually isolate all domains in different processes. It doesn't even isolate tabs in different processes. This is because modern sites typically pull resources from 60+ domains and then 40 tabs would have Chrome managing over 1000 processes. And if they were to isolate them per Extension as well... that would be over 10,000 processes for a typical user. So Chrome simply doesn't do that level of isolation. They are giving everyone a false impression of security which does not exist.

The only sane thing when browsing is to assume everything is untrusted, because in reality the only site you can trust is one you have authored yourself.

Run your browser in a virtual machine like QEMU or VirtualBox. Run security-sensitive sites with Adblock and Scriptsafe, only allow the bare minimum script sources that you need to make the site work, report unwanted / untrusted scripts to the site owner. My bank for example invites 14 3rd party script hosts to my banking login page. Any one of them can snoop my credentials. Scriptsafe will make it very plain to you where 3rd party scripts are in use.

BTW if your system is heavily loaded, this exploit will fail because the caches will be thrashing.

For example, fire up ghb and set it to encode a video. Then fire up another instance and get it encoding another video. Watch top's load and wait for it to exceed the number of SMT threads your system has (usually twice the number of your cores) then run the Leaky.Page test and you'll find it's impossible to get anything but failures out of it.

So if you want to be secure, may I suggest transcoding your personal media library to the highest quality presets for AV1 / HEIF, and/or mining some Ethereum. That should keep your cache access latencies unstable enough that Spectre V4 will not be a concern for you.

Manjaro + R5 4650G + Default Mitigation Settings = Safe

EDIT: I'm gonna have to try that again later; see below

You think rsyncing 1.33TB of data from NTFS to ZFS with compress=zstd-14 would trigger that?

Guess what I've been doing today