lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191208214958.492988dd@localhost>
Date:   Sun, 8 Dec 2019 21:49:58 +0200
From:   Kernel User <linux-kernel@...eup.net>
To:     linux-kernel@...r.kernel.org
Subject: CPU vulnerabilities and web JavaScript

Hello kernel developers!

I have been looking for information but I couldn't find the answers I
need, so thought it might be best to ask the experts first hand.

As soon as Spectre and Meltdown were announced in early 2018 I got
paranoid. I am not a programmer per se but my understanding is that the
main security mechanism in computers (isolation) is not reliable any
more and there is no fix for it - only mitigations which are not
available for all vulnerabilities and for all CPUs.

So I instantly blocked all web JavaScript in browsers. I don't want
anything creepy reading the contents of my RAM, my passwords, keys or
anything else in a way which it is not supposed to. However without JS
web (and life) is difficult and for some sites (e.g. online payments) I
must use JS.

So what I do:

To minimize the chance of any JS reading anything important from the
contents of my RAM I "simulate single tasking":

1. Close all open programs

2. Clean clipboard contents

3. Lock any open keyrings

4. Enable JS for the particular website only (one window, one tab,
incognito mode, all history/cache cleared beforehand)

5. Do what I need on the site as quickly as possible.

6. Close the browser

Of course there are the processes running in background. I am also
aware that closing a program doesn't necessarily mean it wipes the
memory it has used but simply makes it available for other apps (i.e.
memory contents may still be vulnerable). I also have no idea whether
the login credentials (of the current system user I am logged in as)
are somewhere in a vulnerable RAM zone. IOW I realize my approach is
incomplete.

So my questions to the experts here are:

(1) Is what I do reasonable, meaningful and does it actually provide
any additional security? (assume a CPU with, or without mitigations)

(2) As experts knowing the intricacies of all that, what is your
approach and recommendations regarding usage of web JavaScript?

*NOTE: I am aware that web-JS, even without vulnerabilities, has
additional privacy implications but I am asking only in relation to CPU
vulnerabilities.

Sorry for the long message.
I really hope you could shed some light on the subject!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ