linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* CPU vulnerabilities and web JavaScript
@ 2019-12-08 19:49 Kernel User
  2019-12-09  8:44 ` Kernel User
  0 siblings, 1 reply; 2+ messages in thread
From: Kernel User @ 2019-12-08 19:49 UTC (permalink / raw)
  To: linux-kernel

Hello kernel developers!

I have been looking for information but I couldn't find the answers I
need, so thought it might be best to ask the experts first hand.

As soon as Spectre and Meltdown were announced in early 2018 I got
paranoid. I am not a programmer per se but my understanding is that the
main security mechanism in computers (isolation) is not reliable any
more and there is no fix for it - only mitigations which are not
available for all vulnerabilities and for all CPUs.

So I instantly blocked all web JavaScript in browsers. I don't want
anything creepy reading the contents of my RAM, my passwords, keys or
anything else in a way which it is not supposed to. However without JS
web (and life) is difficult and for some sites (e.g. online payments) I
must use JS.

So what I do:

To minimize the chance of any JS reading anything important from the
contents of my RAM I "simulate single tasking":

1. Close all open programs

2. Clean clipboard contents

3. Lock any open keyrings

4. Enable JS for the particular website only (one window, one tab,
incognito mode, all history/cache cleared beforehand)

5. Do what I need on the site as quickly as possible.

6. Close the browser

Of course there are the processes running in background. I am also
aware that closing a program doesn't necessarily mean it wipes the
memory it has used but simply makes it available for other apps (i.e.
memory contents may still be vulnerable). I also have no idea whether
the login credentials (of the current system user I am logged in as)
are somewhere in a vulnerable RAM zone. IOW I realize my approach is
incomplete.

So my questions to the experts here are:

(1) Is what I do reasonable, meaningful and does it actually provide
any additional security? (assume a CPU with, or without mitigations)

(2) As experts knowing the intricacies of all that, what is your
approach and recommendations regarding usage of web JavaScript?

*NOTE: I am aware that web-JS, even without vulnerabilities, has
additional privacy implications but I am asking only in relation to CPU
vulnerabilities.

Sorry for the long message.
I really hope you could shed some light on the subject!

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: CPU vulnerabilities and web JavaScript
  2019-12-08 19:49 CPU vulnerabilities and web JavaScript Kernel User
@ 2019-12-09  8:44 ` Kernel User
  0 siblings, 0 replies; 2+ messages in thread
From: Kernel User @ 2019-12-09  8:44 UTC (permalink / raw)
  To: linux-kernel

Anybody?
Please.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-12-09  8:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-08 19:49 CPU vulnerabilities and web JavaScript Kernel User
2019-12-09  8:44 ` Kernel User

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).