Both are triggered by malicious code running on the same hardware as you.
Mitigation means don't put anything important on shared hardware (read: avoid VPSes) and run NoScript or the equivalent in your browser.
Weren't those security best practices already?
Yes, this is a nightmare for VPS providers and worrying for those who placed their trust in virtualization. But the tinfoil-hat brigade has been assuming such bugs existed for ages.
Am I missing anything?
@HerraBRE One OS instance per hardware has been a "security best practice"? No. I don't think it was. And ordinarily it shouldn't be.
@paco The security best practice I speak of is:
"Don't share hardware with untrusted strangers who can run arbitrary code and try to attack your hypervisor or local network."
Of course you should use all the compartmentalization tech that is appropriate for your use case. Even if they can be attacked, it raises the bar.
@paco I didn't say never. I said it was a best security practice, which it is.
I'm well aware that lots of people (myself included) prioritise other things above absolute security.
When have SaaS and PaaS and IaaS not been problematic for privacy and security? People who care (banks, for example) do this in 2018 the exact same way they did it in 2008 and 1998.
Own hardware or lease entire machines. It's not rocket science, even if your employer would like us to think otherwise. 😉
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!