After the public release of the vulnerabilities named “Spectre” and “Meltdown, it’s hard to know what to do. How can developers and webmasters protect their users and websites? First-aid proposals are coming from the Chromium Dev Team.
“Spectre” and “Meltdown” are the worst-case scenarios for IT-security with more than 90% of Intel-CPUs affected. Hacks for using the security flaws are rather theoretical at the moment since they are complex and time-consuming to execute. So, not every user has to be scared – but at the same time, it’s definitely a more dangerous vulnerability than “another” data breach revealing passwords and usernames.
These news are horribly bad for cloud services, large B2B service providers or companies which are dependent on data security.
Blinded by the extreme speed gains of modern processor architecture, out-of-order executions became a standard. This speculative approach allows processors to guess the next processing step to gain valuable execution time. At the same time, it opens the door for non-authorized requests.
Winning speed, on one hand, losing security, on the other hand, led to the problem that 3rd party scripts from websites can now use this door within any browser to read any data transferred. Yes, passwords, whether SSL secured or not, can be extracted.
It’s time for web developers, webmasters, browser developers and security companies to step up and fight the security flaw.
First patches are developed and published – however, looking at the history of browser usage and update discipline, it is necessary to actually secure websites to fend off attacks.
How to protect your users from Spectre and Meltdown?
Google developer Surma published a tweet with directions for web developers:
– Set correct(!)
– If possible, use SameSite cookies
— Surma (@DasSurma) 6. Januar 2018
The Chromium Dev Team accumulated several tips. And, Chromium, the open-source basis for Chrome, supports one of the most important features to close the security vulnerability:
„specify a nosniff header for any URLs with user-specific or sensitive content“
It is basically a best-practice of modern web development even before Meltdown/Spectre and also quite easy to implement by adding the following line of code:
Additional security features can be activated with other HTTP Headers. And the development around HTTP Headers is constantly evolving – making it hard to stay up-to-date and offer the best possible protection for your users.
Furthermore, not every internet business has direct and fast access to its own code base. Often the code is maintained by external service providers or became so complex, that a simple integration, like a Header adjustment, is impossible to be deployed in a short span of time.
By using external software solutions like wao.io, users benefit from the built-in security measures, which can be activated without any code changing.
Activate “nosniff” – like many other security features – with a simple toggle:
Thereby fixing a security flaw in seconds.
Another advantage of an extensive solution like wao.io is the sustainability of the security approach – always staying up-to-date with security features.
Namely without repetitive code updates.
One thing is for certain: we are going to see a lot of different patches being published until Meltdown/Spectre are no direct threat anymore. And there will be new vulnerabilities – harmful again.
Learn more about our security features here: wao.io/all-features
This article was originally published by Christian Brand and translated by Heinrich R.