meltdown cache encryption

Dridi Boukelmoune dridi at varni.sh
Mon Jan 29 10:06:35 UTC 2018


On Sat, Jan 27, 2018 at 8:37 PM, Miguel González
<miguel_3_gonzalez at yahoo.es> wrote:
> Dear all,
>
>   I received recently an invitation for a webinar from Varnish about
> cache encryption in Varnish Total Encryption.
>
>   I am concerned about how Varnish Cache is going to deal with this. Any
> plan to implement this in the open source version? Are we covered if we
> use any kind of SSL termination with a SSL proxy?

Hi Miguel,

There are no plans to open source Varnish Total Encryption, and using
HTTPS by the means of a proxy on the same server as Varnish won't help
either. To mitigate Meltdown and Spectre, you need an updated kernel
and Linux doesn't completely mitigate Spectre yet (a recent GCC
release address the second Spectre variant with the "retpoline" patches).

You should mostly be worried about Meltdown and Spectre if you are
running Varnish on shared machines provided by a hosting company (aka
cloud provider). In this case Varnish Total Encryption would make it
very hard to read the contents of your cache, but wouldn't protect the
rest of your system (any other service running on your virtual
machine). If you are caching more than just "public" resources with
Varnish, that's a pretty good protection.

Dridi


More information about the varnish-misc mailing list