[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG] Spectre was Re: Email service

To: list@xxxxxxxxxxxxx
Subject: [LUG] Spectre was Re: Email service
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Fri, 09 Mar 2018 06:09:39 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dclug.org.uk; s=1507453562; h=Sender:Content-Type:Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From; bh=VDbrt773W68qQbHemMai1XexLNXz7yP+GQ9nlBYjKCA=; b=fQA1LyQ6VWvMMSJXdTjKWcxvsMCxTU6QXCDD8srkaerYoVdiOdn/BGchFIVmFxB2pocp3TdWrKDZyc7HxTo2J42MNlG3XlKLHFAbFB4CLjZ2Hyw/MIkTg3G6io3865+7SKpGxMYs1rlrF/4yZzRpQIbtFA/KGxnmjPOAakWGv+E=;

On Sunday, 4 March 2018 15:57:33 GMT Nick wrote:
> 
> One thing I am a little concerned over: on a scale of 'recommended' to
> 'insane', how sensible is it in the Spectre era to trust a VPS to
> remain secure?

Realistically you are more likely to mess up running your own server than be 
attacked by bugs like Spectre. Maybe a rookie mistake like running Exim as a 
mail server ;)

Of course it is possible that attacks using Spectre will become routine, but 
this is going to be quite challenging as it depends on CPU version of the 
machine being attacked, kernel version and mitigation's in place. 

This week's latest enhancement for Software Guard Extensions requires physical 
access to the machine, and if attackers have that your hosting company have 
already failed.

Even if it becomes routine, they will still need to execute code on the same 
host server as the victim, which could be expensive if the hosting company 
have a lot of servers. It is also likely the hosting company is vulnerable to 
something much more mundane.

There will be more CPU side channel attacks, modern CPUs are that complex.

There will also be more bugs in whatever virtualisation technology is in use, 
but before this lots of companies relied on file permissions to keep website 
owners apart, and as dreadful a model as that was it was "good enough" for 
many web hosts, because your site or service just isn't worth punting up the 
money to become a customer in the hopes of being on the same server, and 
finding a hole.

There are loads of dreadful security bugs no one talks about much on the 
Internet, we just ultimately accept the risk. Just look at how widely DNSSEC 
is deployed, versus how difficult it is to do cache poisoning. Heck I see people 
who should know better throwing their DNS to services like Google's recursive 
DNS with no particular protections.

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Spectre was Re: Email service
- From: psutton
Follow-up: Re: [LUG] Spectre was Re: Email service
- From: mr meowski
Follow-up: Re: [LUG] Spectre was Re: Email service
- From: Nick

References:
- Re: [LUG] Email service
  - From: Nick

Prev by Date: Re: [LUG] Email service
Next by Date: Re: [LUG] Spectre was Re: Email service
Previous by thread: Re: [LUG] Email service
Next by thread: Re: [LUG] Spectre was Re: Email service
Index(es):
- Date
- Thread