Brave Protection from Meltdown/Spectre?


#1

Per public reports, two types of exploits named Meltdown and Spectre expose microprocessors from multiple manufacturers (Intel, AMD, ARM) to security breaches. https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html

Given Brave’s strong position on security, and that the Spectre exploit can be accomplished through JavaScript, I’m curious: Does Brave already protect against this?

If not, is there any protection that can be added to Brave as a new feature, and if so, is there an ETA for that enhancement?


#2

Since Brave is based on Chromium 63, Google has info on what they’re doing and what’s coming shortly in 64: Google’s Mitigations Against CPU Speculative Execution Attack Methods and Actions Required to Mitigate Speculative Side-Channel Attack Techniques.


#3

Thanks – that’s what I thought, but didn’t want to guess.

  1. Since Chromium 64 is scheduled for release on or about Jan 23, about how long after that might Brave users see an updated build?

I have no reason to be especially nervous about Meltdown/Spectre; I’ve just been promoting Brave and would like to be able to confirm to potential users that Brave is taking actions to address these issues.

  1. Does the Site Isolation feature work for Brave? Or is that a Chrome-specific feature? (I’d just try it but I’m not on my desktop at the moment.)

Update: I just found a note from LaurenWags here addressing my second question. (This post didn’t come up when I searched for this subject prior to creating a new topic, or I wouldn’t have created a new topic.) How to enable strict site isolation on Brave (chrome://flags#enable-site-per-process doesn’t work)


#4

Just did some quick testing and the short answer seems to be yes; the following worked on my Mac:

$ /Applications/Brave.app/Contents/MacOS/Brave --site-per-process


How to enable strict site isolation on Brave (chrome://flags#enable-site-per-process doesn't work)
#5

Hi @Flatfingers @alwillis,

As far as I’m aware of, the team is working on “Strict site isolation” and that will be available on next hotfix release. Also Brave have script blocker, about:preferences#shileds for global setting, Brave icon on top right for per site setting.

Best,
:slight_smile:


#6

Yup, just installed it and it’s there.


#7

@alwillis I assume you downloaded 0.19.127 from github. That is a pre-release version meant for testing while the latest stable is 0.19.123. Just want to make sure you’re aware of this :slight_smile:

Best.


#8

Thanks for the update; I probably got the versions mixed up.


#9

My fault—I thought everything in the 0.19.x series was the release channel vs. 0.20.x which is the beta channel?


#10

Yes, 0.19.x is a release channel. With 0.19.123 as the latest stable release. Users who downloaded from Brave website will have this version and will not notice pre-release version and/or beta channel.

Sometimes the team prepare a hotfix on release channel (contain small fix, Chromium upgrade, or else) that shipped between release and beta channel. And the version like 0.19.127 or 0.19.130 or else is a pre-release version of release channel meant to test the hotfix before they release it as latest stable version.

If you see on GitHub, pre-release version will have pre-release tag while latest stable will have latest release tag.

pre-release-release
pre-release


latest stable release

But you can have the pre-release version installed, it’s up to your preferences.
Hope that make it clear.
Best,
:slight_smile:


#11

Outstanding response, typical of the Brave team’s dedication to delivering a product that does what it says it does and does it well.

Thank you!