
Would you rather have performance or security? - samfisher83
As far as I understand they hacker will need to know what they are looking for to exploit the Intel bug. Or am I missing the something. Is this bit security really worth the performance?
======
eesmith
As I understand it, if you visit a seemingly innocuous web page, a Javascript
program from that page can read any part of memory.

This means the hacker doesn't need to know exactly what to look for, but only
how to tell the JS program how to find what it's looking for.

We've seen just how clever people are at being able to use buffer overruns and
other programming errors in order to execute arbitrary code.

Looking for in-memory data structures is much easier.

As an example, look for the text between "\-----BEGIN RSA PRIVATE KEY-----"
and "\-----END RSA PRIVATE KEY-----" and send it back to the server. Poof!
You've now got someone's private key even without knowing at the start where
that data was.

------
navjack27
Performance every day of the week

