Page 1 of 1

NoScript and Spectre-Meltdown

Posted: Fri Jan 05, 2018 8:54 pm
by kukla
If I'm not mistaken, attack vector is via JavaScript. Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?

*No guarantee there either, since even those can sometimes be hacked.

Re: NoScript and Sceptre-Meltdown

Posted: Sat Jan 06, 2018 1:29 am
by Giorgio Maone
kukla wrote:If I'm not mistaken, attack vector is via JavaScript.
Correct, that's the easiest way to remotely exploit Spectre.
kukla wrote: Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?
*No guarantee there either, since even those can sometimes be hacked.
The same rules suggest to prevent any JS-exploitable vulnerability, "known or not known yet" as advertised:
  1. limit your whitelist to HTTPS-only matcheds sites (green closed lock icon), because otherwise an attacker controlling your network could inject its malicious payload inside random unencrypted pages.
  2. keep the XSS filter enabled, otherwise an attacker could exploit a XSS vulnerability in a trusted site to inject its malicious payload in it, even if encrypted

Re: NoScript and Spectre-Meltdown

Posted: Mon Jan 08, 2018 5:55 pm
by jawz101
@Giorgio- is web assembly a separate technology that will one day need protections?

Re: NoScript and Spectre-Meltdown

Posted: Mon Jan 08, 2018 6:05 pm
by Giorgio Maone
jawz101 wrote:@Giorgio- is web assembly a separate technology that will one day need protections?
Web Assembly is subject to the same rules/restrictions as JavaScript (they share the same runtime, but by writing web assembly you're able to better model your performance optimization at a lower abstraction level).
So NoScript covers is just like it covers JavaScript.