Spectre. Meltdown. They sound like action movie names, and one of them, well… is exactly that. Well the reality of the situation is that they’re almost as bad as many Bond villain plots. These two names represent three (yeah, three) vulnerabilities in pretty much every processor currently on the market. Everyone is vulnerable in one way or another.
How We Got Here
Here’s a short-ish overview of the problem: There are three vulnerabilities that were recently discovered by security researchers at Google, as well as some others. They pretty much allow access to the memory of any computer, or at least some of the memory.
One vulnerability—the one dubbed “Meltdown”—is Intel-specific. It’s the reason that Intel is getting a bad rap right now, even though pretty much all processors are at risk. It has a patch coming on every major OS that may reduce the speed of every Intel processor by up to 30%.
There are two vulnerabilities that fall under the name of “Spectre”. They are a product of current processor architecture, and we all have this problem: Intel customers, AMD customers, and basically everyone else. One of these vulnerabilities can only be patched on a per-binary basis, meaning pretty much every program you’ve ever used is a potential security risk. It’s like the world’s largest and worst game of whack-a-mole.
The only real fix for these problems is to completely redesign the way we make processors, and replace every computer made in the last ten years or so. Every. Single. One. The problem is expected to stay with us well into the next decade.
Here’s an excellent Twitter thread for tech beginners that helped me understand all of this.
For the professional computer engineers, Google put out a blog post that you could probably make more sense of than I could.
How This Affects Web Designers
Much of the coverage has been about how these flaws in our processors might be used to compromise millions of people by stealing data from cloud services. This is actually the least of our worries, for the moment. Major cloud service providers have already implemented fixes to secure their systems.
You see, the problem lies with large companies, governments, and other sizeable organizations. While OS and browser developers are already releasing updates to minimize the risk of even the more pervasive problems related to Spectre, that’s no guarantee that many Internet users will actually get the updates.
Large companies and organizations are renowned for terrible information security. I mean, remember Equifax? They tend not to implement updates and patches when they think they don’t have to. Implementing patches and updates costs time, and money, and creates downtime for employees.
What’s more, any organization that has internal apps of any kind has to make sure they all work with updated and patched version of OSs and browser every time they upgrade. That’s more time and money. So they tend to do it as little as possible. There are horror stories of companies that won’t stop using IE6 because they use an internal web app that only works in IE6. Or the companies that still use accounting software still found only on Windows 98.
These kinds of organizations (and there are enough of them to make security experts worry) account for a considerable bit of web traffic, even today. This latest security scare could finally push them to step up their information security efforts.
But it’s far more likely that they will implement one of two much, much simpler options:
- Block all Internet access
Either way, we’re looking at a large number of people who suddenly either can’t browse the web at all, or can only browse a very limited version of it.
Where Do We Go From Here?
It wouldn’t even have to be a “suspicious” page. Regular sites get hijacked or get code injected into them all the time. How are security-conscious organizations and users going to respond to this news? I suspect that we’ll see a higher rate of users who have either turned JS off, or have had it turned off for them. We may not be able to rely on it as much as we have been lately.