meltdown cache encryption

Dridi Boukelmoune dridi at varni.sh
Mon Jan 29 18:49:34 UTC 2018


On Mon, Jan 29, 2018 at 6:53 PM, Miguel González
<miguel_3_gonzalez at yahoo.es> wrote:
>
>> There are no plans to open source Varnish Total Encryption, and using
>> HTTPS by the means of a proxy on the same server as Varnish won't help
>> either. To mitigate Meltdown and Spectre, you need an updated kernel
>> and Linux doesn't completely mitigate Spectre yet (a recent GCC
>> release address the second Spectre variant with the "retpoline" patches).
>
> when is expected those issues are solved? With OS issues mitigated,
> Varnish would be safe?

I'm loosely and remotely following what's happening on the Linux side
so I may not be up to date but I believe that Meltdown and Spectre
variant 1 are fixed/mitigated in latest releases. You should check
what your Linux distribution has done in this area, but I believe all
major vendors have "kernel" and "microcode" updates ready at this
point.

In that case I believe Varnish would be safe, except for Spectre
variant 2 that I think is almost ready but not there yet. Varnish
Total Encryption not only helps mitigate Meltdown and Spectre that
could happen on a "neighbor's VM", but goes the extra mile too.

>> You should mostly be worried about Meltdown and Spectre if you are
>> running Varnish on shared machines provided by a hosting company (aka
>> cloud provider).
>
> I do myself host several sites, should I be worried then?

Get in touch with the hosting company, they'll know better than me
about their business ;)

Dridi


More information about the varnish-misc mailing list