Interesting. I can see it being a concern in shared environments (hence all the cloud providers are quite scared), but unless there's another part about being able to modify kernel memory, IMHO it's not such a big deal for the typical single-user personal computer.
I wonder if there are other (non-x86) CPUs that do similar speculative execution affected... the general ideas behind it don't seem to be specific to x86.
How so? Letting any old web page read your kernel’s memory seems like kind of a big deal to me. On the other hand I guess remote debugging will be a lot easier in 2018 :)
...but the blog post above shows that you need to execute instructions that (try to) access kernel addresses, and have a handler in place to catch the inevitable exception. That doesn't seem like code a JS JIT could generate.
You might be thinking of that JS RowHammer demonstration, but that was using regular memory accesses and not with the specific kernel addresses that you need for this.
Sorry that train has left the station. JS is now a part of the web. The advice to keep JS off by default is a lot like saying "turn off your Wi-Fi by default" and "don't use a computer." People that do it occasionally experience an exaggerated sense of smugness when a particularly nasty bug is discovered, but then they go back to leading a much more difficult online life than the rest of the world.
No, it's only because of "JS is now a part of the web" advocates that we've gotten into this horrible situation.
but then they go back to leading a much more difficult online life than the rest of the world.
I completely disagree, because I don't have to routinely subject myself to the barrage of useless distracting noise (adverts and whatever else) caused by JS. https://news.ycombinator.com/item?id=10871967 (The rest of the comments on that item are worth reading too.)
Also, "JS off" is very much in agreement with "don't run untrusted code", something which everyone who cares about security in any way would have no problem with.
Yes I advocate for JS to be a part of the web. There are good reasons for it. But regardless, it has nothing to with advocates. We are in this situation because browser vendors included JS and developers and users found it useful. Again, you are free to deny the idea that this is irreversible, but I am with the 99.99% of users of the web who have JS enabled.
Edit: QoL is subjective of course, but let me ask you this: when was the last time you really had JS enabled by default and how did you measure the trade off? My suspicion is that most people who put on their tin foil hat^W^W^W^W^W^Wturn off JS by default don't actually turn it back on frequently, and spend a whole lot of their lives fiddling with drop down menus to enable/disable JS on specific sites.
> and spend a whole lot of their lives fiddling with drop down menus to enable/disable JS
Even without special extensions and keyboard shortcuts you spend very little time on fiddling with menus. It seems like a lot only at the beginning and quickly gets to near no fiddling at all. But it also saves time on various things, like when your adblocker doesn't catch something and you have to close those clickunder born popups or see a page full of ads where it's hard to even find the content, things also load faster and so on.
My only problem without javascript is cloudflare. They truly are sabotaging it, giving impossible to solve captchas for example.
I honestly don't know what sites you are visiting where ad blocking is such a problem. I guess I'd seen an odd clone of KAT and other torrenting sites that do this shit. It's annoying, I agree. But in my daily life I rarely encounter an ad that slips by my ad blocker that makes me drop everything I am doing to go digging into how to kill it. On the contrary, I find my ad blocker more annoying sometimes in the other direction where my bank's site doesn't work and I have to disable it to get the site to e.g. show me my balance or make a credit card payment. I don't see how the savings in time will add up over a lifetime.
there's a subset of the web that still remains a hypertext document database (the 'web 1.0' if you will) instead of becoming an application delivery platform (web 2.0, i hear it's almost out of beta). going JS-less on wikipedia is possible and not at all a bad experience.
Sure if you limit your life to Wikipedia that's fine. Hell, you don't even need an internet connection for it. Just download it all once in a while. But the rest of us like using places like Amazon, Slack, Google Maps, etc.
I fully support not making content delivery rely on JS. But I disabling JS because it can be used for intrusive ads is a lot like taking the wheels off your car because it can take you to the mall where you might see big for sale signs and annoying sales people. Effective, but stupid.
> But disabling JS because it can be used for intrusive ads is a lot like taking the wheels off your car...
You should try it sometime. Selectively enabling JS will be annoying at first, but as long as you save your preferences, the web will soon become a much less terrible place, and you'll rarely have to tweak your config. This approach won't work for non-techies, of course, but it's not much of a hardship for someone vaguely familiar with how the web works. Amazon, for example, works fine with a bit of JS not including amazon-adsystem.com.
Bad comparison, unless you were to change it to 'reprogramming your car so it does not take you to - or warns you for - annoying sales people'. Javascript can be disabled for specific sites or purposes or only enabled for specific sites and purposes.
JS is part of the web - going JS-less under the guise of security seems fruitless to me. Even if I went JS-less, it would be very difficult for me to convince anyone with access to privileges on my life to go JS-less as well. A JS exploit could affect my parents which would in turn affect me. A JS exploit could affect my doctor/lawyer/bank teller which could affect me.
I'm not sure what the advantages of this argument are anymore. JS is now so ubiquitous I can only imagine how a drive-by JS exploit can truly mess you up in obscure ways despite the fact you browse the web with IE4.
That is the true counter-point here. Even if one person protects themselves better they are so connected to several (or many) others that the overall protection gains are miniscule.
And this is not gonna change before a huge paradigm shift in network protocols and network apps.
What I meant by this is that JS relies on a browser with an interpreter. If we use one without an interpreter then JS is nothing but text. I guess one could claim that this text is "part of the web". The point is that it is the users choice whether to run the it through an interpreter. Sometimes they might want to do that (maybe offline), other times they might not. Most times I do not need to run JS to get what I am after (e.g., text, documents, videos, etc.). There is just no need to run all these third party scripts to read some text or download a file for offline viewing. I may read the JS though. In that sense, yes, it is "part of the web". It just isnt the content part that users care about.
I wonder if there are other (non-x86) CPUs that do similar speculative execution affected... the general ideas behind it don't seem to be specific to x86.