Explain slowly please, I'm a software guy
How can a browser have any impact upon Spectre when that's a CPU bug? Surely, if an application can reach that far down the stack there's a bigger security hole in the OS to worry about?
Genuine question.
Enhanced Spectre-protectors will soon come to the Chrome browser, as its desktop stable channel hit version 67.0.3396.62 and upgrades for Windows, Mac and Linux have started to flow. The Spectre mitigation comes in the form of enhanced site isolation, first introduced in Chrome 63, in which pages from different sites run in …
I'm just guessing here, but I think that by splitting everything down to separate processes, it's much harder to use Spectre (or similar flaw), to grab a particular piece of data (eg your bank password), because an attacker will have no idea which process to target (or which bit of memory it's living in).
That's just my guess from reading some of their documentation, I'm probably wrong, but hopefully by being wrong on the internet I have invoked someone else to come and well actually me.
@AMBxx: "How can a browser have any impact upon Spectre when that's a CPU bug?"
I recall reading somewhere that, in order to implement cutting edge features Chrome is given low-level access to the OS. That's why Chrome needs such security mitigations:
What an awful sentence construction: "The site isolation design document explains that the Spectre mitigation sandboxes site renderer processes." I had to re-read this three times to understand whether or not there was an absent verb following 'that'. Then it dawned on me: the author is employing the foul Merkin habit of reusing a noun as a verb, in this case 'sandbox'.
Even the Merkin online www.dictionary.com provides this:
"noun
1.a box or receptacle for holding sand, especially one large enough for children to play in.
2.Computers. an environment in which software developers or editors can create and test new content, separate from other content in the project (often used attributively): "
Please, please, please can the Editors enforce a policy of 'English(UK)' only?
"Please, please, please can the Editors enforce a policy of 'English(UK)' only?"
Much as that would be appreciated, one should remember that not only are significant portions of the readership not native English(UK) speakers, but that many of the articles originate from exotic locales such as The Register office in San Francisco and the antipodean Vulture South office. Also, I believe they sacked the proof-reader some years ago in the interest of keeping up with the current best practice in technology circles whereby the users or customer is the beta and bug tester.