{"id":22119,"date":"2018-07-16T16:33:05","date_gmt":"2018-07-16T20:33:05","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=22119"},"modified":"2018-07-16T16:33:05","modified_gmt":"2018-07-16T20:33:05","slug":"mitigating-spectre-with-site-isolation-in-chrome","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/07\/16\/mitigating-spectre-with-site-isolation-in-chrome\/","title":{"rendered":"Mitigating Spectre With Site Isolation in Chrome"},"content":{"rendered":"<p><a href=\"https:\/\/security.googleblog.com\/2018\/07\/mitigating-spectre-with-site-isolation.html\">Charlie Reis<\/a> (via <a href=\"https:\/\/twitter.com\/justinschuh\/status\/1017086332999356416\">Justin Schuh<\/a>):<\/p>\n<blockquote cite=\"https:\/\/security.googleblog.com\/2018\/07\/mitigating-spectre-with-site-isolation.html\"><p>Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we&rsquo;re excited to announce that Chrome 67 has enabled a security feature called <a href=\"https:\/\/www.chromium.org\/Home\/chromium-security\/site-isolation\">Site Isolation<\/a> on Windows, Mac, Linux, and Chrome OS.<\/p>\n<p>[&#8230;]<\/p>\n<p>Site Isolation is a large change to Chrome&rsquo;s architecture that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites. Note that Chrome uses a specific definition of \"site\" that includes just the scheme and registered domain. Thus, https:\/\/google.co.uk would be a site, and subdomains like https:\/\/maps.google.co.uk would stay in the same process.<\/p>\n<p>[&#8230;]<\/p>\n<p>This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker.<\/p><\/blockquote>\n\n<p>See also: <a href=\"https:\/\/www.paulkocher.com\/doc\/MicrosoftCompilerSpectreMitigation.html\">Spectre Mitigations in Microsoft&rsquo;s C\/C++ Compiler<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=16381978\">Hacker News<\/a>).<\/p>\n\n<p>Previously: <a href=\"https:\/\/mjtsai.com\/blog\/2018\/01\/03\/intel-cpu-design-flaw-necessitates-kernel-page-table-isolation\/\">Intel CPU Design Flaw Necessitates Kernel Page Table Isolation<\/a>, <a href=\"https:\/\/mjtsai.com\/blog\/2018\/03\/29\/firefoxs-facebook-container\/\">Firefox&rsquo;s Facebook Container<\/a>, <a href=\"https:\/\/mjtsai.com\/blog\/2018\/06\/08\/intelligent-tracking-prevention-2-0\/\">Intelligent Tracking Prevention 2.0<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Charlie Reis (via Justin Schuh): Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we&rsquo;re excited to announce that Chrome 67 has enabled [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-07-16T20:33:07Z","apple_news_api_id":"684bce63-da81-49f1-811c-65c28bc34f8a","apple_news_api_modified_at":"2018-07-16T20:33:08Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AaEvOY9qBSfGBHGXCi8NPig","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[255,456,30,32,355,48,96],"class_list":["post-22119","post","type-post","status-publish","format-standard","hentry","tag-compiler","tag-googlechrome","tag-mac","tag-macapp","tag-privacy","tag-security","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=22119"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22119\/revisions"}],"predecessor-version":[{"id":22120,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22119\/revisions\/22120"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=22119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=22119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=22119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}