On Mon, Jan 29, 2018 at 6:53 PM, Miguel González <[email protected]> wrote: > >> There are no plans to open source Varnish Total Encryption, and using >> HTTPS by the means of a proxy on the same server as Varnish won't help >> either. To mitigate Meltdown and Spectre, you need an updated kernel >> and Linux doesn't completely mitigate Spectre yet (a recent GCC >> release address the second Spectre variant with the "retpoline" patches). > > when is expected those issues are solved? With OS issues mitigated, > Varnish would be safe?
I'm loosely and remotely following what's happening on the Linux side so I may not be up to date but I believe that Meltdown and Spectre variant 1 are fixed/mitigated in latest releases. You should check what your Linux distribution has done in this area, but I believe all major vendors have "kernel" and "microcode" updates ready at this point. In that case I believe Varnish would be safe, except for Spectre variant 2 that I think is almost ready but not there yet. Varnish Total Encryption not only helps mitigate Meltdown and Spectre that could happen on a "neighbor's VM", but goes the extra mile too. >> You should mostly be worried about Meltdown and Spectre if you are >> running Varnish on shared machines provided by a hosting company (aka >> cloud provider). > > I do myself host several sites, should I be worried then? Get in touch with the hosting company, they'll know better than me about their business ;) Dridi _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
