[password4321]

The associated March 2021 blog post mentioned implementing multiple PoCs abusing different timers; the one chosen was verified "on Chrome 88 on an Intel Skylake CPU", which was released January 2021.

A cursory search did not find what further mitigations have been implemented since 2021.

[rasz]

So in the end it turns out there doesnt exist "a demo page you could use right now to check if you are susceptible" after all because browsers removed attack surface (precise timers).

[TheDong]

> So in the end it turns out there doesnt exist "a demo page you could use right now to check if you are susceptible" after all because browsers removed attack surface

The original claim you made was "[the original attacks] didn't [work in javascript], otherwise there would be a demo page".

We have shown you such a page. You are not susceptible to that original attack anymore. Congrats. Isn't that all you were asking for? How have we not proven exactly that exists?

We haven't shown you that you are still presently susceptible to anything of course, but that's not what you were claiming.

And it's of course impossible to prove that you are not susceptible to any bug whatsoever, though I don't think many people would be surprised if there were still sources of accurate timing left in the browser

[rasz]

The linked page is not js, its js deferring actual attack to wasm. It doesnt work on 2018 system despite the demo being released in 2021.

[vore]

Your browser will run WebAssembly about as happily as it will run JavaScript. What's the distinction here?

[rasz]

    delete WebAssembly

uBlock can inject this to every webpage you visit. The distinction is you can disable WebAssembly and >99.99% of the web will run like nothing happened.