[Engineering] FYI: Browser mitigations for Meltdown & Spectre

[Joaquin Oltra Hernandez]

tl;dr: performance.now accuracy decreased, SharedArrayBuffer disabled in
all browsers

There were recently two very serious security vulnerabilities disclosed (
Spectre <https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)> &
Meltdown <https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)>)
that affect pretty much anything that can run code on your machine.

That includes browsers, so major vendors have started rolling out
mitigations for such attacks so that the vulnerabilities can't be exploited
from JavaScript. Here is some info in case you haven't followed:

*Summary*

   - performance.now is going to be rounded to avoid exposing the high
   precision timer
      - to 1ms in Safari, 20µs in Firefox, 20µs with 20µs jitter in Edge,
      unspecified in Chrome
   - SharedArrayBuffer is going to be disabled for now since it can be used
   to create high precision timers from JS

*Articles*

Here are some articles from the different vendors. The Webkit one is more
extensive and has approachable explanations, reasoning and links to commit,
and is very interesting to read:

   - https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/
   -
   https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
   - https://www.chromium.org/Home/chromium-security/ssca
   -
   https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/

*Conclusion*

This changes shouldn't impact us at all in our usual browser work, but it
is good to know about the changes of behavior to not be surprised if they
do.

Hope this is useful, have a nice day!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/engineering/attachments/20180109/40dbbac7/attachment.html>