i think "javascript in the browser" is implied here. and that is a HUGE gate to close.
fortunately, we don't have such browsers in plan9 :) On Wed, Jan 10, 2018 at 11:41 AM, Erik Quanstrom <quans...@quanstro.net> wrote: > to be fair, this vulnerability can be exploited with plain old JavaScript. > > On Jan 10, 2018 11:32, Skip Tavakkolian <skip.tavakkol...@gmail.com> > wrote: > > good advice. i agree with the wait-and-see. i'm not convinced that this > issue is solvable. > > using pip, npm and all the other ways of importing random code from > who-knows-where is insanity and plan9 systems (mostly?) avoid this practice. > having dedicated auth and fs servers (don't allow cpu'ing) and using > terminals for each user is a good practice. > a terminal on an affected processor can still compromise your factotum > data in memory. rpi3 is a safe choice and, for plan9, probably the best > choice. > > > > On Wed, Jan 10, 2018 at 8:59 AM, <cinap_len...@felloff.net> wrote: > > wait and see if all these scrambled together mitigations actually work. > > 9front is not in the business of selling shared computing environments > (or sell executable javascript ads) to untrusted strangers. > > that was never really safe to begin with. there will be bugs in software > and hardware. and there will be side channels. > > if you are concerned about security and leaks then run your authentication > server on a dedicated box and applications on your own terminal. > > -- > cinap > > > >
