If I'm not mistaken, attack vector is via JavaScript. Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?
*No guarantee there either, since even those can sometimes be hacked.
NoScript and Spectre-Meltdown
NoScript and Spectre-Meltdown
Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript and Sceptre-Meltdown
Correct, that's the easiest way to remotely exploit Spectre.kukla wrote:If I'm not mistaken, attack vector is via JavaScript.
The same rules suggest to prevent any JS-exploitable vulnerability, "known or not known yet" as advertised:kukla wrote: Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?
*No guarantee there either, since even those can sometimes be hacked.
- limit your whitelist to HTTPS-only matcheds sites (green closed lock icon), because otherwise an attacker controlling your network could inject its malicious payload inside random unencrypted pages.
- keep the XSS filter enabled, otherwise an attacker could exploit a XSS vulnerability in a trusted site to inject its malicious payload in it, even if encrypted
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Re: NoScript and Spectre-Meltdown
@Giorgio- is web assembly a separate technology that will one day need protections?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript and Spectre-Meltdown
Web Assembly is subject to the same rules/restrictions as JavaScript (they share the same runtime, but by writing web assembly you're able to better model your performance optimization at a lower abstraction level).jawz101 wrote:@Giorgio- is web assembly a separate technology that will one day need protections?
So NoScript covers is just like it covers JavaScript.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0