Re: [webkit-dev] HSTS user tracking

2018-01-05 Thread Brent Fulgham
I’m sorry we haven’t been forthcoming with details. We have wanted to put together a blog post explaining our fix, but have been preoccupied with a number of other security issues. I will make this my top priority, or at least give a rough overview to the webkit-security folks if we can’t put t

Re: [webkit-dev] HSTS user tracking

2018-01-05 Thread Maciej Stachowiak
Brent Fulgham or John Wilander would know the details. - Maciej > On Jan 5, 2018, at 8:04 AM, Michael Catanzaro wrote: > > > Hi devs, > > Any info about how to mitigate this problem would be appreciated. Thanks! > > Michael > > ___ > webkit-dev

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Filip Pizlo
Here is what else is in trunk: - index masking - pointer poisoning I’m going to write up what our thoughts are shortly. :-) For now feel free to browse the code with those two hints. -Filip > On Jan 5, 2018, at 8:31 AM, Konstantin Tokarev wrote: > > > >> Hi, >> >> Here's a collection of

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Michael Catanzaro
On Fri, Jan 5, 2018 at 11:32 AM, Konstantin Tokarev wrote: https://bugs.webkit.org/show_bug.cgi?id=181266 https://bugs.webkit.org/show_bug.cgi?id=165503 (prophecy?) Thanks! Michael ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://l

[webkit-dev] Javier Fernandez is now a WebKit reviewer

2018-01-05 Thread Mark Lam
Hi everyone, I would like to announce that Javier Fernandez (lajava on #webkit) is now a WebKit reviewer. Javier has worked on CSS Grid Layout and Box Alignment, as well as the selection and editing code. Please join me in congratulating Javier, and send him some patches to review. Javier, co

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Konstantin Tokarev
05.01.2018, 20:28, "Michael Catanzaro" : > On Fri, Jan 5, 2018 at 10:31 AM, Konstantin Tokarev > wrote: >>  Seems like both mitigations are already present in trunk > > Are there recent commits you can link to? I must have missed them fly > by. https://bugs.webkit.org/show_bug.cgi?id=181266 htt

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Konstantin Tokarev
> Hi, > > Here's a collection of blog posts from other major browser vendors > regarding the Meltdown and Spectre attacks: > > https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/ > > https://blog.mozilla.org/security/2018/01/03/mit

Re: [webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Yusuke SUZUKI
FYI, Apple also published the statement. https://support.apple.com/en-us/HT208394 On Sat, Jan 6, 2018 at 1:08 Michael Catanzaro wrote: > Hi, > > Here's a collection of blog posts from other major browser vendors > regarding the Meltdown and Spectre attacks: > > > https://blogs.windows.com/msedg

[webkit-dev] Meltdown and Spectre attacks

2018-01-05 Thread Michael Catanzaro
Hi, Here's a collection of blog posts from other major browser vendors regarding the Meltdown and Spectre attacks: https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/ https://blog.mozilla.org/security/2018/01/03/mitigations-landin

Re: [webkit-dev] HSTS user tracking

2018-01-05 Thread Michael Catanzaro
Hi devs, Any info about how to mitigate this problem would be appreciated. Thanks! Michael ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev