i think "javascript in the browser" is implied here. and that is a HUGE gate to close.

fortunately, we don't have such browsers in plan9 :)

On Wed, Jan 10, 2018 at 11:41 AM, Erik Quanstrom <quanstro@quanstro.net> wrote:

to be fair, this vulnerability can be exploited with plain old JavaScript.

On Jan 10, 2018 11:32, Skip Tavakkolian <skip.tavakkolian@gmail.com> wrote:

good advice. i agree with the wait-and-see. i'm not convinced that this issue is solvable.

using pip, npm and all the other ways of importing random code from who-knows-where is insanity and plan9 systems (mostly?) avoid this practice.

having dedicated auth and fs servers (don't allow cpu'ing) and using terminals for each user is a good practice.

a terminal on an affected processor can still compromise your factotum data in memory. rpi3 is a safe choice and, for plan9, probably the best choice.

On Wed, Jan 10, 2018 at 8:59 AM, <cinap_lenrek@felloff.net> wrote:

wait and see if all these scrambled together mitigations actually work.

9front is not in the business of selling shared computing environments
(or sell executable javascript ads) to untrusted strangers.

that was never really safe to begin with. there will be bugs in software
and hardware. and there will be side channels.

if you are concerned about security and leaks then run your authentication
server on a dedicated box and applications on your own terminal.

--
cinap