Will Spectre & Meltdown Break JavaScript?

Spectre. Meltdown. They sound like action movie names, and one of them, well… is exactly that. Well the reality of the situation is that they’re almost as bad as many Bond villain plots. These two names represent three (yeah, three) vulnerabilities in pretty much every processor currently on the market. Everyone is vulnerable in one way or another.

It’s the kind of thing sci-fi and action movie writers have been trying to warn us about for decades. And yes, it affects us as web designers. Why? You can take advantage of Spectre with JavaScript.

How We Got Here

Here’s a short-ish overview of the problem: There are three vulnerabilities that were recently discovered by security researchers at Google, as well as some others. They pretty much allow access to the memory of any computer, or at least some of the memory.

One vulnerability—the one dubbed “Meltdown”—is Intel-specific. It’s the reason that Intel is getting a bad rap right now, even though pretty much all processors are at risk. It has a patch coming on every major OS that may reduce the speed of every Intel processor by up to 30%.

There are two vulnerabilities that fall under the name of “Spectre”. They are a product of current processor architecture, and we all have this problem: Intel customers, AMD customers, and basically everyone else. One of these vulnerabilities can only be patched on a per-binary basis, meaning pretty much every program you’ve ever used is a potential security risk. It’s like the world’s largest and worst game of whack-a-mole.

The only real fix for these problems is to completely redesign the way we make processors, and replace every computer made in the last ten years or so. Every. Single. One. The problem is expected to stay with us well into the next decade.

Here’s an excellent Twitter thread for tech beginners that helped me understand all of this.

For the professional computer engineers, Google put out a blog post that you could probably make more sense of than I could.

How This Affects Web Designers

Much of the coverage has been about how these flaws in our processors might be used to compromise millions of people by stealing data from cloud services. This is actually the least of our worries, for the moment. Major cloud service providers have already implemented fixes to secure their systems.

Like I said, these vulnerabilities can be accessed via JavaScript. Therefore, desktops, laptops, tablets, and other personal devices are at greater risk. And outdated servers are, too, but that’s another issue.

You see, the problem lies with large companies, governments, and other sizeable organizations. While OS and browser developers are already releasing updates to minimize the risk of even the more pervasive problems related to Spectre, that’s no guarantee that many Internet users will actually get the updates.

Large companies and organizations are renowned for terrible information security. I mean, remember Equifax? They tend not to implement updates and patches when they think they don’t have to. Implementing patches and updates costs time, and money, and creates downtime for employees.

What’s more, any organization that has internal apps of any kind has to make sure they all work with updated and patched version of OSs and browser every time they upgrade. That’s more time and money. So they tend to do it as little as possible. There are horror stories of companies that won’t stop using IE6 because they use an internal web app that only works in IE6. Or the companies that still use accounting software still found only on Windows 98.

These kinds of organizations (and there are enough of them to make security experts worry) account for a considerable bit of web traffic, even today. This latest security scare could finally push them to step up their information security efforts.

But it’s far more likely that they will implement one of two much, much simpler options:

  1. Block all Internet access
  2. Block all JavaScript

Lots of companies see providing Internet access to their employees as something of a luxury anyway. So why not block it? And if they really do need it, do they really need JavaScript? Gmail works just fine without it. And it would be easy enough to put in an exception for their own internal web apps.

Either way, we’re looking at a large number of people who suddenly either can’t browse the web at all, or can only browse a very limited version of it.

Where Do We Go From Here?

Even if we did magically get perfect fixes for the Meltdown and Spectre problems, this is going to spark a larger conversation about security and JavaScript in particular. I mean, what other bits of hardware could be compromised by a simple web page? This could happen again. No, to hell with that. This will happen again.

It wouldn’t even have to be a “suspicious” page. Regular sites get hijacked or get code injected into them all the time. How are security-conscious organizations and users going to respond to this news? I suspect that we’ll see a higher rate of users who have either turned JS off, or have had it turned off for them. We may not be able to rely on it as much as we have been lately.

Now, I think it’s too useful to ever go out the way Flash did. I don’t see that happening. But the security risks of allowing JavaScript to run unfettered are being noticed, and may one day become newsworthy. We may one day even see notifications asking if we’d like to allow any given site to run JS at all in our browsers.

So where do we go from here? Not for the first time, and probably not for the last, I’m going to say that we need to be a lot more careful about how we use JavaScript. If your website’s entire experience depends on it, you might be about to lose a lot of potential users.

Ezequiel Bruni is a web/UX designer, blogger, and aspiring photographer living in Mexico. When he's not up to his finely-chiselled ears in wire-frames and front-end code, or ranting about the same, he indulges in beer, pizza, fantasy novels, and stand-up comedy. More articles by Ezequiel Bruni
Home CSS Deals HTML HTML5 Java JavaScript jQuery Miscellaneous Mobile MySQL News PHP Resources Security Snippet Tools Tutorial Web Development Web Services WordPress