I predict tonight's disclosures will lead to an uptick in interest in running websites on dedicated hardware, like we did back at the turn of the century.
Spectre doesn't really care if it is cloud or bare metal. They are equally vulnerable unless disconnected from internet.
This affects browsers with Javascript enabled because your Javascript engine runs foreign code on the CPU. The bad guy puts nasty code in a page, you visit the page, the code executes on your machine--boom.
And it affects public cloud web servers because multiple cloud servers (virtual machines) run on one CPU. So some attacker might be able to jump out of their VM and read your VM's memory.
BUT, on a dedicated hardware web server, there shouldn't be any foreign code running--no foreign VMs, and no browser.
Any user who has access to a system (developers or support or sysadmin) has the ability to read arbitrary memory. The vulnerability can probably be leveraged to privilege escalation or bypass the isolation.
So cloud instance and bare metal ones are equally vulnerable under Spectre: as long as they can transfer their malicious code to your VMs and runs it. Can't really see how bare metal servers mitigate this problem.
Add in that Spectre specifically is a js bug so in order to be vulnerable your server would need to execute untrusted JavaScript and I think we can assume the threat surface of this specific bug is smaller outside the cloud...
https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9...
Its a technique, not a flaw in js, from my understanding
1) https://spectreattack.com/: "Spectre tricks other applications into accessing arbitrary locations in their memory. " Spectre does not let you execute code in another guest
2) Spectre is not javascript specific. I am not sure why you think it is, beyond the fact a PoC was written in js
Obviously it's not just a js bug, there are other PoCs in other languages.
I never said anything about executing code in another guest, not sure where you got that from.
