Browser-laptop: Brave reports as vulnerable to spectre on test site

Created on 9 Jan 2018 · 8Comments · Source: brave/browser-laptop

Test plan

https://github.com/brave/browser-laptop/pull/12577#issue-287200894

I'm using Brave 0.19.131 & checked the new security feature which is related to Spectre & Meltdown vulnerability. So, I tried using this http://xlab.tencent.com/special/spectre/spectre_check.html, it's saying it's vulnerable for Spectre. Check the Screenshot. I'm using macOS Sierra.

screen shot 2018-01-09 at 03 25 33

Qchecked-Linux Qchecked-Win64 Qchecked-macOS Qtest-plan-specified release-noteinclude security

Source

g33xter

Most helpful comment

MacOS using 0.19.132:
screen shot 2018-01-11 at 9 09 20 am

LaurenWags on 11 Jan 2018

👍2

All 8 comments

cc: @diracdeltas
Same on Chrome for reference

srirambv on 9 Jan 2018

You need to enable manually, I guess. use this link chrome://flags/#enable-site-per-process.
screen shot 2018-01-09 at 04 19 04
I don't have any issues with Chrome/Firefox/Safari, they are not vulnerable on newer updates.

g33xter on 9 Jan 2018

Thanks for the confirmation @g33xter

srirambv on 9 Jan 2018

👍1

Strict Site isolation only mitigates against Spectre by enhancing separation between iframes and the parent context. It does not prevent Spectre if the parent context is trying to use the attack against you. According to @jumde, we will need to disable SharedArrayBuffer in order to appear as "not vulnerable" according to this test.