Meltdown and Spectre
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Meltdown and Spectre
Does the browser have protection against attacks on the CPU memory and ddram3 memory?
https://www.techradar.com/news/computin ... ry-1288045
the newest firefox protects against e.g. specter
https://zapodaj.net/images/979691e1e2706.png
attack description:
https://meltdownattack.com
https://www.techradar.com/news/computin ... ry-1288045
the newest firefox protects against e.g. specter
https://zapodaj.net/images/979691e1e2706.png
attack description:
https://meltdownattack.com
Re: Meltdown and Spectre
Use the forum search
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: Meltdown and Spectre
palemoon had protection before the big guns even got to their holsters.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup.....
Pale moon 29.4.1
Pale moon 29.4.1
Re: Meltdown and Spectre
The situation has slightly changed since that post since operating systems have been patched (unless of course you are someone who uses Windows out of the box and never updates it, you know who you are) but mitigations are in place.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Meltdown and Spectre
ok thanks all for the answers.
Re: Meltdown and Spectre
Mainstream browsers may revert coarsening of timers and disabling of SharedArrayBuffers in favour of process isolation (page 10), which might cause web compatibility issues for UXP. Any thoughts?
- athenian200
- Contributing developer
- Posts: 1535
- Joined: 2018-10-28, 19:56
- Location: Georgia
Re: Meltdown and Spectre
Well, it's not a creative approach at all. It sounds like they're basically considering requiring further nasty e10s-like kludges for security reasons, the "separate process for everything" nonsense. I'm not a fan of process isolation as a security solution.Andrew Herbert wrote: ↑2020-09-05, 14:40Mainstream browsers may revert coarsening of timers and disabling of SharedArrayBuffers in favour of process isolation (page 10), which might cause web compatibility issues for UXP. Any thoughts?
Anyway, if it comes to that we'll likely have to choose between keeping those things disabled and having a few compatibility issues, or just allowing users to enable them as they were before despite the security risks. There's also a possibility we'll find a way to make SharedArrayBuffers and high-precision timers safer without process isolation and mitigate the security issues in a less ham-fisted way than process isolation. Or at least find alternative ways of providing the functionality websites expect when they look for those features so that things don't break.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind
Re: Meltdown and Spectre
There is no need for any finer resolution in a web client than what we have now (which is spectre-safe). Simple as that.
Shared Array buffers are available in Pale Moon and have been for a while, since the general environments that can be assumed the browser is running in have been patched on vulnerable hardware at multiple lower levels already. If people do not patch their O.S. then they could decide to disable them (it is disabled easily via a preference) as part of their strategy to use and old and insecure patch level of their O.S. -- that is their own responsibility.
Process isolation will not be a solution either, because unless you plan to run every conceivable thread in an isolated process this will never, ever, mitigate it. And you simply can't do that because that level of isolation would grind everything to a halt.
Shared Array buffers are available in Pale Moon and have been for a while, since the general environments that can be assumed the browser is running in have been patched on vulnerable hardware at multiple lower levels already. If people do not patch their O.S. then they could decide to disable them (it is disabled easily via a preference) as part of their strategy to use and old and insecure patch level of their O.S. -- that is their own responsibility.
Process isolation will not be a solution either, because unless you plan to run every conceivable thread in an isolated process this will never, ever, mitigate it. And you simply can't do that because that level of isolation would grind everything to a halt.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Meltdown and Spectre
This novel thing called "answers"
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite