Articles

What Do Spectre and Meltdown Mean for My Website?

There has been a fair amount of buzz lately about “Meltdown” and “Spectre”, two recently discovered security vulnerabilities. They have cute logos to go with them, but the vulnerabilities themselves are anything but cute, and will likely cause headaches for many of us for years to come. Here at Bluehouse Group, we stay on top of any security issues that might affect our clients, their sites, and the servers those sites run on.

Meltdown and Spectre are unlike anything we’ve seen before. Both take advantage of issues physically built-into computer hardware in everything from servers and laptops to smartphones. Though the implications of these vulnerabilities are unsettling, our conclusion at the moment is that – based on currently available information – this is something everyone should be aware of, but probably not lose sleep over. At least not yet.

The single most important thing to do when it comes to protecting against Meltdown and Spectre, is to not install and run any software unless you know and trust the source.

Meltdown and Spectre were recently discovered and reported by independent security researchers. To put it simply, these vulnerabilities allow for the possibility that a piece of software running on a device (including web servers, computers, phones, and browsers) could gain access to private information stored on the same device, even if that information is protected or encrypted.

Luckily, Meltdown and Spectre can’t be used to change or delete data, but given that they can be used to quietly retrieve private information (such as passwords), they are considered to be extremely severe vulnerabilities. So far there hasn’t been any evidence or reports that either vulnerability has been used maliciously in the wild, and as of our writing, these vulnerabilities present only hypothetical security issues. Making use of them to target the average user would require a significant (though not impossible) amount of work.

The biggest hurdle preventing the malicious use of the Meltdown and Spectre vulnerabilities is that someone would have to install and run malicious software on the target device. This presents a great opportunity to remind people of what is now sage advice: don’t install and run software from an untrusted source. Before installing anything, do a little research! Make sure the software is both legitimate and being downloaded and installed from a legitimate source. If you maintain this basic level of security hygiene, you can rest a little easier knowing that you probably won’t be the target of a Meltdown or Spectre-inspired attack.

Is There a Fix?

Spectre and Meltdown are devilish and significant because their existence is linked to the microchips inside all of our devices, and how those chips were designed. Because these unfortunate design choices were etched into the chips physically, fixes are especially hard to implement. Since these vulnerabilities are not simply bugs in software, a basic security update cannot fully plug the holes. You may have heard that some software patches are available -- and these are probably worth doing -- but these only reduce risk, and do so at the cost of a noticeable impact on device performance. Some reports estimate as much as a 30% performance drop after installing the software patch, but that’s the price to pay for less risk. The real fix for these issues will happen over the coming years, as hardware manufacturers find a way to build new chips that do not contain the design flaws that allow such vulnerabilities to exist.

What’s Our Recommendation for Now?

Simply practice good security hygiene:

  1. Keep your software up to date
  2. Do a little research before downloading anything new on to a device
  3. Don’t install anything from an unknown source
  4. Before clicking links in an email, make absolutely sure the email is from a legitimate source
  5. If your website is hosted with a vendor other than Bluehouse Group, ask your vendor if they are aware of these vulnerabilities and what level of security is on the servers

The single most important thing to do when it comes to protecting against Meltdown and Spectre, is to not install and run any software unless you know and trust the source. Next, be educated on the issues enough to ask the right questions of your vendor; you don’t need to be an expert, but don’t assume that because someone else is on watch, that you’re covered. Ask them what their assessment of the risk is on their servers, and if they haven’t heard of these vulnerabilities, that might be a red flag. Besides that, you can sign up for Bluehouse Group’s newsletter at bottom of this page or become a follower on our Facebook page, where we share useful tips periodically on web marketing topics. We’ll keep you updated with any new developments on these issues as they become available.

If you want to learn more, here are a 2 good resources:

Graz Institute of Technology in Austria’s Spectre information site, created by one of the three parties that originally discovered the vulnerabilities

Brian Waters, a security analyst at ISE, wrote this informative blog post.