[tzahola]

- we didn't have browsers compiling JavaScript into machine code

- we didn't have hyperconverged cloud infrastructures running arbitrary entities' code next to each other

[ashleyn]

Sounds like it's time for me to give up on the so-called "modern web" and install noscript.

[yorwba]

You can have both "modern web" and block most JavaScript. You just need to keep adding scripts to the whitelist until sites you trust work again. It's a bit arduous at first, but possible to get used to once everything you visit daily has been added.

[meepmorp]

Unless, of course, the site you trust is hosted in a shared hosting VM which is also vulnerable to spectre or meltdown. In which case, you can’t trust the scripts.

[XR0CSWV3h3kZWg]

spectre can read, not write.

[meepmorp]

If I can read arbitrary data, what’s stopping me from reading the credentials I need to write data?

[anfilt]

What if I read the sites TLS/SSL keys? I could MITM the connection and inject JS to do more malcious thing.

Or even easier get the ssh key for the VM. Then do what ever I want.

[dtparr]

If it can read the right data (private keys, etc.), then it can write whatever it wants.

[jzl]

Great answer.

The web issue is easier to mitigate if not fix completely since there is already a massive infrastructure for widespread, rapid browser updates, and crippling Javascript to eliminate attack vectors such as high-resolution timers is completely acceptable.

The cloud/vm infrastructure is a massive problem though. It is 100% required that VMs be fully isolated. The entire infrastructure breaks down if they aren't.