top | item 16077874

(no title)

It's definitely true that Meltdown is a more immediate problem--but Spectre is basically the problem that will last. We can move kernel memory into another process space, take the perf hit, and correct most of the meltdown problems.

Spectre style issues had JS pulling browser process memory using timing--the patches being "put every page in its own process" (Chrome) and "don't let people get accurate timings" (Firefox). They are way worse in the grand scheme of things, because even if they aren't as easy to exploit, they will continue to show up, probably for the foreseeable future (next 5-10 years), long after Meltdown is patched and old news.

discuss

akvadrako|8 years ago

What? The whole idea that you can run untrusted code on your machine in the same process as secure data is ridiculous.

Of course every website needs it's own process. It should really be in it's own VM too.

digi_owl|8 years ago

Or how about we stop perusing services that demand that we run 200+k of JS just to look at a few lines of text and images?