If you actually were losing 2-3 orders of magnitude worth of performance, then you were hitting some secondary problems.
But, as I said when this came out, a 90% loss is entirely likely under a significant set of circumstances. "Flushing the L1" is HUGELY expensive--and I have doubt about the claims in the added paragraph.
This class vulnerability is endemic to speculative execution that is worth anything (that is, if it includes speculative loads) in anything resembling current architecture.
