I don’t think you do understand the problem, although never loading
JavaScript is probably a Good Thing ™
The most recent QSB describes a situation where a compromised qube with
PCI may access data in RAM that pertains to Xen or some other qube. It
has nothing to do with websites leveraging JavaScript,( unless you
habitually browse from sys-net, which is probably a bad idea anyway).
Here is one way you could use a vulnerable machine to reduce the risk
somewhat.
-
sys-usb:
Disposable.
Only run when needed: shutdown when finished.
Shutdown sensitive qubes before starting sys-usb. -
sys-net:
Disposable.
Only run when needed: shutdown when finished.
Shutdown/pause when performing sensitive operations in other qubes, as
far as possible.
Consider moving all possible activities away from sys-net ( date/time,
updates, etc), and reduce profile as far as possible. -
General activities:
Perform sensitive operations offline. (E.g use of GPG)
Shutdown secure qubes when not in use.
There are some activities which require sys-net to be active: e.g.
email, ssh sessions. Restart sys-net before these activities to minimise
the risk of leakage and compromise. Shutdown sys-net as soon as
possible.
openssh protects private keys in RAM. Use split-ssh-agents.
Use split-gpg.
Encrypt data at rest.
Use qubes-shutdown-idle (with short time out) to make sure that qubes
close when not in active use.
Users may be doing some or all of this already.
I never presume to speak for the Qubes team.When I comment in the Forum or in the mailing lists I speak for myself.