The Meltdown and Spectre attacks have recently been publicized, revealing vulnerabilities in all systems using modern microprocessors. Authentic8 systems share these vulnerabilities.

While there have been no publicized practical in-the-wild exploits of these vulnerabilities, we are applying system patches as they become available. Patches have been released for Meltdown on some platforms, with more expected; Spectre does not appear to be patchable in software and may require physical CPU revisions.

Authentic8 uses third-party cloud virtualization platforms for a minority of our services. These services (Amazon AWS, Google Compute) have patched their underlying software against the Meltdown attack. We are preparing kernel patches for our own systems and will provide updates as they are processed through QA and deployed.

The Authentic8 architecture in many ways mitigates against these types of attacks. Our browser isolation does not rely on hypervisors, so exploits designed to access data across virtual machines do not apply to us. Sensitive customer data is kept encrypted at rest and only decrypted as and when required, making customer credentials and encryption keys largely unavailable to these attacks.

We control our execution environments and do not allow unvetted third-party code to execute in them; to the extent that a non-browser application were to use one of these exploits to obtain sensitive data, our network architecture makes it difficult for the data to be exfiltrated.

We do allow Javascript to execute in the Silo and Toolbox browsers, and will be applying mitigations for Javascript Meltdown attacks as they are released by Mozilla.

This situation is developing rapidly. Authentic8 is committed to providing the best possible security and to this end we are closely monitoring these issues and working with our security partners to keep our customers and their data safe. We will provide updates on the situation as they become available.

Kevin Lund
CTO Authentic8, Inc.