-
Google’s JavaScript team: Spectre mitigation doomed to failure
That isn’t exactly what they said, but it’s pretty close. Here’s what they do say:
A year with Spectre… When it was shown that JavaScript could be used to mount Spectre attacks, the V8 team became involved in tackling the problem… offensive research [from the white and gray hats] advanced much faster than our defensive research, and we quickly discovered that software mitigation of all possible leaks due to Spectre was infeasible… the engineering effort diverted to combating Spectre was disproportionate to its threat level… the increasingly complicated mitigations that we designed and implemented carried significant complexity, which is technical debt and might actually increase the attack surface, and performance overheads… We still know of no attacks in the wild, outside of the curious tinkerers and professional researchers developing proof of concept gadgets
Make no mistake, Meltdown and Spectre could become nightmares. At some point in the far future. For now, don’t worry about it, OK?