Mailing List Archive

On Sat, Jan 27, 2018 at 8:37 PM, Miguel González
<miguel_3_gonzalez@yahoo.es> wrote:
> Dear all,
>
> I received recently an invitation for a webinar from Varnish about
> cache encryption in Varnish Total Encryption.
>
> I am concerned about how Varnish Cache is going to deal with this. Any
> plan to implement this in the open source version? Are we covered if we
> use any kind of SSL termination with a SSL proxy?

Hi Miguel,

There are no plans to open source Varnish Total Encryption, and using
HTTPS by the means of a proxy on the same server as Varnish won't help
either. To mitigate Meltdown and Spectre, you need an updated kernel
and Linux doesn't completely mitigate Spectre yet (a recent GCC
release address the second Spectre variant with the "retpoline" patches).

You should mostly be worried about Meltdown and Spectre if you are
running Varnish on shared machines provided by a hosting company (aka
cloud provider). In this case Varnish Total Encryption would make it
very hard to read the contents of your cache, but wouldn't protect the
rest of your system (any other service running on your virtual
machine). If you are caching more than just "public" resources with
Varnish, that's a pretty good protection.

Dridi
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

> There are no plans to open source Varnish Total Encryption, and using
> HTTPS by the means of a proxy on the same server as Varnish won't help
> either. To mitigate Meltdown and Spectre, you need an updated kernel
> and Linux doesn't completely mitigate Spectre yet (a recent GCC
> release address the second Spectre variant with the "retpoline" patches).

when is expected those issues are solved? With OS issues mitigated,
Varnish would be safe?


>
> You should mostly be worried about Meltdown and Spectre if you are
> running Varnish on shared machines provided by a hosting company (aka
> cloud provider).

I do myself host several sites, should I be worried then?

Thanks for answering!

Miguel


---
This email has been checked for viruses by AVG.
http://www.avg.com

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

On Mon, Jan 29, 2018 at 6:53 PM, Miguel González
<miguel_3_gonzalez@yahoo.es> wrote:
>
>> There are no plans to open source Varnish Total Encryption, and using
>> HTTPS by the means of a proxy on the same server as Varnish won't help
>> either. To mitigate Meltdown and Spectre, you need an updated kernel
>> and Linux doesn't completely mitigate Spectre yet (a recent GCC
>> release address the second Spectre variant with the "retpoline" patches).
>
> when is expected those issues are solved? With OS issues mitigated,
> Varnish would be safe?

I'm loosely and remotely following what's happening on the Linux side
so I may not be up to date but I believe that Meltdown and Spectre
variant 1 are fixed/mitigated in latest releases. You should check
what your Linux distribution has done in this area, but I believe all
major vendors have "kernel" and "microcode" updates ready at this
point.

In that case I believe Varnish would be safe, except for Spectre
variant 2 that I think is almost ready but not there yet. Varnish
Total Encryption not only helps mitigate Meltdown and Spectre that
could happen on a "neighbor's VM", but goes the extra mile too.

>> You should mostly be worried about Meltdown and Spectre if you are
>> running Varnish on shared machines provided by a hosting company (aka
>> cloud provider).
>
> I do myself host several sites, should I be worried then?

Get in touch with the hosting company, they'll know better than me
about their business ;)

Dridi
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

>
> I'm loosely and remotely following what's happening on the Linux side
> so I may not be up to date but I believe that Meltdown and Spectre
> variant 1 are fixed/mitigated in latest releases. You should check
> what your Linux distribution has done in this area, but I believe all
> major vendors have "kernel" and "microcode" updates ready at this
> point.
>
> In that case I believe Varnish would be safe, except for Spectre
> variant 2 that I think is almost ready but not there yet. Varnish
> Total Encryption not only helps mitigate Meltdown and Spectre that
> could happen on a "neighbor's VM", but goes the extra mile too.

Thanks for the info.

>
>>> You should mostly be worried about Meltdown and Spectre if you are
>>> running Varnish on shared machines provided by a hosting company (aka
>>> cloud provider).
>>
>> I do myself host several sites, should I be worried then?
>
> Get in touch with the hosting company, they'll know better than me
> about their business ;)

I mean I have my own VPS running Varnish on a dedicated server I own :)
Where you meaning that someone could get information on cloud instances
where Varnish is run for several cloud instances? I am not quite
grasping what you mean with "neighbor´s VM".

Thanks!

Miguel

---
This email has been checked for viruses by AVG.
http://www.avg.com

_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

> I mean I have my own VPS running Varnish on a dedicated server I own :)
> Where you meaning that someone could get information on cloud instances
> where Varnish is run for several cloud instances? I am not quite
> grasping what you mean with "neighbor´s VM".

If my understanding is correct, you could read the host memory from a
guest VM, so on shared hardware a rogue VM could dump memory from
other guests. If you have VPSs, I suppose you should be fine. Your
hosting company would know better.

Dridi
_______________________________________________
varnish-misc mailing list
varnish-misc@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc