What Meltdown and Spectre mean for your website
04 Jan 2018I see a lot of security flaws (I did my Honours year at Deakin University in Distributed Operating System Security) but rarely have I seen anything as significant as Meltdown and Spectre. These are fundamental flaws in Intel's CPU architecture and they can not be properly fixed without replacing every computer's processor. I doubt there is the manufacturing capacity world-wide to replace every single computer CPU so these flaws will be around for a long time.
All cloud providers - which is almost everything we use these days from email to Office 365 to website hosting - will have to update their hardware. There is no other fix. The performance hit for patching these CPU vulnerabilities using software is estimated at up to 30% reduction in processing speed and that still doesn't completely fix the problem.
Here are some details from Tech Republic if you are tech savvy - https://www.techrepublic.com/article/massive-intel-cpu-flaw-understanding-the-technical-details-of-meltdown-and-spectre/
"The most critical problem the pair of vulnerabilities poses long term is for the entire cloud computing industry. With minimal time and investment, hackers can leverage Meltdown to escape from the confines of a VM to read information in memory-passwords, SSH keys, etc. from other VMs on the same machine. While Meltdown is being patched presently, and is substantively easier to exploit than Spectre, there is at present no solution to Spectre other than hardware replacement. Additionally, the aggregate effect of performance regressions as a result of patching means longer processing time for tasks, and higher cloud computing costs."
As bad as that sounds, the good news is that every cloud provider (like Amazon or Microsoft) will be replacing their hardware ASAP. They can not allow know security issues like these to remain or they expose themselves to massive legal risk. So as bad as the security problems are, I expect they will be fixed soon. The news is not so good for smaller cloud providers and people who host their own co-located servers because their ability to upgrade all their hardware immediately may be restricted. I imagine the big companies will get in first and tie up purchases of Intel and AMD CPUs for the next few months (if they haven't been doing that already).
There is no way of knowing if these vulnerabilities are currently being used by malware. That is something I will be watching closely.
It is important to note that it will not matter where your website is hosted. Everybody is affected in some way.
What about Amazon AWS specifically?
Amazon AWS customers will see a reduction in EC2 performance after Meltdown patches. See some details from The Register here - https://www.theregister.co.uk/2018/01/04/amazon_ec2_intel_meltdown_performance_hit/
I am not noticing a lot of impact on the sites I am hosting. Websites only require short bursts of CPU time as each page is created. This will add up during high loads but will not realistically impact most sites.
Fortunately, I use Cloudflare for website caching so CPU usage on the original AWS EC2 (Beanstalk) instance is very limited. Cloudflare will have its own issues dealing with Meltdown but the CPU time required to serve a cached file is far less than for building the file in the first place.
I am monitoring the performance of all the websites I host on AWS and will upgrade any instances that start to struggle. So far everything looks ok but if you notice something strange or slow on your website please contact me immediately.
I will post an update when I get more news from Amazon.
