Page 1 of 1
NoScript and Spectre-Meltdown
Posted: Fri Jan 05, 2018 8:54 pm
by kukla
If I'm not mistaken, attack vector is via JavaScript. Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?
*No guarantee there either, since even those can sometimes be hacked.
Re: NoScript and Sceptre-Meltdown
Posted: Sat Jan 06, 2018 1:29 am
by Giorgio Maone
kukla wrote:If I'm not mistaken, attack vector is via JavaScript.
Correct, that's the easiest way to remotely exploit Spectre.
kukla wrote:
Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?
*No guarantee there either, since even those can sometimes be hacked.
The same rules suggest to prevent any JS-exploitable vulnerability, "known or not known yet" as advertised:
- limit your whitelist to HTTPS-only matcheds sites (green closed lock icon), because otherwise an attacker controlling your network could inject its malicious payload inside random unencrypted pages.
- keep the XSS filter enabled, otherwise an attacker could exploit a XSS vulnerability in a trusted site to inject its malicious payload in it, even if encrypted
Re: NoScript and Spectre-Meltdown
Posted: Mon Jan 08, 2018 5:55 pm
by jawz101
@Giorgio- is web assembly a separate technology that will one day need protections?
Re: NoScript and Spectre-Meltdown
Posted: Mon Jan 08, 2018 6:05 pm
by Giorgio Maone
jawz101 wrote:@Giorgio- is web assembly a separate technology that will one day need protections?
Web Assembly is subject to the same rules/restrictions as JavaScript (they share the same runtime, but by writing web assembly you're able to better model your performance optimization at a lower abstraction level).
So NoScript covers is just like it covers JavaScript.