[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] predictable PRNG used

From: David Woolley
Subject: Re: [Lynx-dev] predictable PRNG used
Date: Sun, 05 Jul 2009 22:11:20 +0100
User-agent: Thunderbird (X11/20090605)

Thorsten Glaser wrote:

But back to improvements - are the OpenSSL and *shudder* GnuTLS
RAND_* functions self-seeding on GNU/Linux? They could be used

If I understood the issue correctly, truly random seeding makes the information exposure greater, because it makes it much more likely that different browser sessions are in completely different places in the pseudo random sequence.

Whilst I would consider the number of organisations that go man in the middle for 3D Secure a much more real risk to security. the two approaches to this issue are either to make the random numbers cryptographically strong, which is not generally a requirement for random() type functions, or to make the delimiters deterministic.

There is no need for randomness in the delimiters. The only reason for making them random is so that if one submission fails because a delimiter clashes with content, the next attempt for the same data should not. The problem with this is that you have to prescan the content, possibly multiple times, to search for a safe delimiter. Of course, a 100% reliable random delimiter implementation has to be prepared to retry with a different delimiter, although I suspect this isn't actually done.

A cryptographically secure random number is one where either every one is truly random, or it is computationally infeasible to determine the internal state of the the random number generator.

if Lynx is built with SSL support anyway and arc4random is not
available. (I'd prefer arc4random though...)

David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]