Re: [webkit-dev] HSTS user tracking

2018-01-05 Thread Michael Catanzaro 


Hi devs,

Any info about how to mitigate this problem would be appreciated. 
Thanks!


Michael

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

[webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Michael Catanzaro 

Hi,

Here's a collection of blog posts from other major browser vendors 
regarding the Meltdown and Spectre attacks:


https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/ssca

Notably, Edge and Firefox are reducing the resolution of 
performance.now(), and all three are disabling SharedArrayBuffer.


This is just a heads-up.

Michael

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Yusuke SUZUKI 
FYI, Apple also published the statement.

https://support.apple.com/en-us/HT208394

On Sat, Jan 6, 2018 at 1:08 Michael Catanzaro  wrote:

> Hi,
>
> Here's a collection of blog posts from other major browser vendors
> regarding the Meltdown and Spectre attacks:
>
>
> https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
>
>
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>
> https://sites.google.com/a/chromium.org/dev/Home/chromium-security/ssca
>
> Notably, Edge and Firefox are reducing the resolution of
> performance.now(), and all three are disabling SharedArrayBuffer.
>
> This is just a heads-up.
>
> Michael
>
> ___
> webkit-dev mailing list
> webkit-dev@lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
>
-- 
Regards,
Yusuke Suzuki
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Konstantin Tokarev 


> Hi,
> 
> Here's a collection of blog posts from other major browser vendors
> regarding the Meltdown and Spectre attacks:
> 
> https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
> 
> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
> 
> https://sites.google.com/a/chromium.org/dev/Home/chromium-security/ssca
> 
> Notably, Edge and Firefox are reducing the resolution of
> performance.now(), and all three are disabling SharedArrayBuffer.
> 
> This is just a heads-up.

Seems like both mitigations are already present in trunk

> 
> Michael
> 
> ___
> webkit-dev mailing list
> webkit-dev@lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
-- 
Regards,
Konstantin
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Konstantin Tokarev 


05.01.2018, 20:28, "Michael Catanzaro" :
> On Fri, Jan 5, 2018 at 10:31 AM, Konstantin Tokarev 
> wrote:
>>  Seems like both mitigations are already present in trunk
>
> Are there recent commits you can link to? I must have missed them fly
> by.

https://bugs.webkit.org/show_bug.cgi?id=181266
https://bugs.webkit.org/show_bug.cgi?id=165503 (prophecy?)

>
> Michael

-- 
Regards,
Konstantin
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

[webkit-dev] Javier Fernandez is now a WebKit reviewer

2018-01-05 Thread Mark Lam 
Hi everyone,

I would like to announce that Javier Fernandez (lajava on #webkit) is now a 
WebKit reviewer.  Javier has worked on CSS Grid Layout and Box Alignment, as 
well as the selection and editing code.

Please join me in congratulating Javier, and send him some patches to review.

Javier, congratulations.

Mark

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Michael Catanzaro 


On Fri, Jan 5, 2018 at 11:32 AM, Konstantin Tokarev  
wrote:

https://bugs.webkit.org/show_bug.cgi?id=181266
https://bugs.webkit.org/show_bug.cgi?id=165503 (prophecy?)


Thanks!

Michael

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Filip Pizlo 
Here is what else is in trunk:

- index masking
- pointer poisoning

I’m going to write up what our thoughts are shortly. :-)  For now feel free to 
browse the code with those two hints.

-Filip


> On Jan 5, 2018, at 8:31 AM, Konstantin Tokarev  wrote:
> 
> 
> 
>> Hi,
>> 
>> Here's a collection of blog posts from other major browser vendors
>> regarding the Meltdown and Spectre attacks:
>> 
>> https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
>> 
>> https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
>> 
>> https://sites.google.com/a/chromium.org/dev/Home/chromium-security/ssca
>> 
>> Notably, Edge and Firefox are reducing the resolution of
>> performance.now(), and all three are disabling SharedArrayBuffer.
>> 
>> This is just a heads-up.
> 
> Seems like both mitigations are already present in trunk
> 
>> 
>> Michael
>> 
>> ___
>> webkit-dev mailing list
>> webkit-dev@lists.webkit.org 
>> https://lists.webkit.org/mailman/listinfo/webkit-dev 
>> 
> -- 
> Regards,
> Konstantin
> ___
> webkit-dev mailing list
> webkit-dev@lists.webkit.org 
> https://lists.webkit.org/mailman/listinfo/webkit-dev 
> 
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

2018-01-05 Thread Maciej Stachowiak 

Brent Fulgham or John Wilander would know the details.

 - Maciej

> On Jan 5, 2018, at 8:04 AM, Michael Catanzaro  wrote:
> 
> 
> Hi devs,
> 
> Any info about how to mitigate this problem would be appreciated. Thanks!
> 
> Michael
> 
> ___
> webkit-dev mailing list
> webkit-dev@lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

2018-01-05 Thread Brent Fulgham 
I’m sorry we haven’t been forthcoming with details. We have wanted to put 
together a blog post explaining our fix, but have been preoccupied with a 
number of other security issues.

I will make this my top priority, or at least give a rough overview to the 
webkit-security folks if we can’t put together a blog-worthy document fast 
enough.

Thanks,

-Brent

> On Jan 5, 2018, at 12:58 PM, Maciej Stachowiak  wrote:
> 
> 
> Brent Fulgham or John Wilander would know the details.
> 
> - Maciej
> 
>> On Jan 5, 2018, at 8:04 AM, Michael Catanzaro  wrote:
>> 
>> 
>> Hi devs,
>> 
>> Any info about how to mitigate this problem would be appreciated. Thanks!
>> 
>> Michael
>> 
>> ___
>> webkit-dev mailing list
>> webkit-dev@lists.webkit.org
>> https://lists.webkit.org/mailman/listinfo/webkit-dev
> 

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev