CPU vulnerabilities and web JavaScript
From: Kernel User
Date: Sun Dec 08 2019 - 14:51:24 EST
Hello kernel developers!
I have been looking for information but I couldn't find the answers I
need, so thought it might be best to ask the experts first hand.
As soon as Spectre and Meltdown were announced in early 2018 I got
paranoid. I am not a programmer per se but my understanding is that the
main security mechanism in computers (isolation) is not reliable any
more and there is no fix for it - only mitigations which are not
available for all vulnerabilities and for all CPUs.
So I instantly blocked all web JavaScript in browsers. I don't want
anything creepy reading the contents of my RAM, my passwords, keys or
anything else in a way which it is not supposed to. However without JS
web (and life) is difficult and for some sites (e.g. online payments) I
must use JS.
So what I do:
To minimize the chance of any JS reading anything important from the
contents of my RAM I "simulate single tasking":
1. Close all open programs
2. Clean clipboard contents
3. Lock any open keyrings
4. Enable JS for the particular website only (one window, one tab,
incognito mode, all history/cache cleared beforehand)
5. Do what I need on the site as quickly as possible.
6. Close the browser
Of course there are the processes running in background. I am also
aware that closing a program doesn't necessarily mean it wipes the
memory it has used but simply makes it available for other apps (i.e.
memory contents may still be vulnerable). I also have no idea whether
the login credentials (of the current system user I am logged in as)
are somewhere in a vulnerable RAM zone. IOW I realize my approach is
incomplete.
So my questions to the experts here are:
(1) Is what I do reasonable, meaningful and does it actually provide
any additional security? (assume a CPU with, or without mitigations)
(2) As experts knowing the intricacies of all that, what is your
approach and recommendations regarding usage of web JavaScript?
*NOTE: I am aware that web-JS, even without vulnerabilities, has
additional privacy implications but I am asking only in relation to CPU
vulnerabilities.
Sorry for the long message.
I really hope you could shed some light on the subject!