I honestly don't know and I am far from expert in this subject but I do think leaving the kernel-based Spectre & Meltdown protections disabled and javascript in the (outdated) browser enabled exposes the user to some serious vulnerabilities and probably should not be tried without good reason.bester69 wrote:So you think whats going on is about Specte or Meltdown?
Have you actually measured any performance differences with the protections enabled?
AFAIUI, the risky speculative execution is only used for certain types of operation, I can't notice much difference on the desktop.
The security of Firejail is based on the security of the kernel itself, which you have wilfully disabled, so I don't think it will help as much as some suggest.bester69 wrote:What about firejail --private , what are the risks, what do you suggest?
But I'm no expert
You *are* confused, Firejail is a containerisation solution and should add no measurable overhead.bester69 wrote:I tested a litle bit firejail, and seem to downgrade a litle bit performance, but It could be bias confused
Benchmarks are the key here, try them instead of asking me.
AFAIUI, the browser-level mitigations just restrict the range of potential attacks rather than eliminate them entirely — you need the kernel protections as well.bester69 wrote:For Meltdown and Spectre, I think last opera versions already comes with mitigation measurements