[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] mozilla's take on arc4random

From: David Woolley
Subject: Re: [Lynx-dev] mozilla's take on arc4random
Date: Tue, 14 Jul 2009 11:36:56 +0100
User-agent: Thunderbird (X11/20090605)

Thorsten Glaser wrote:
Michael S Gilbert dixit:

the mozilla developers are working this predictable PRNG issue, and
they have indicated that arc4random would not be sufficently secure

Note that, for the traditional, mathematical, uses of random numbers generators, predictability is desirable, as it allows detailed results to be reproduced.

No, it’s simply not needed. For Mozilla, they have their NSS stuff,
which is used by the browser internally, and the javascript random
functions have different requirements. Such functions should not
deliver a constant random stream, but instead use a random seed –
whether this comes from NSS or arc4random is irrelevant – for a

As I understand the requirement that started this thread, what is required is that it not be possible to deduce the internal state of the mechanism that generates MIME delimiters. That can be achieved either by having no internal state, or by using cryptographically strong methods (true random numbers, or a truly random seed and an algorithm for which it is computationally infeasible to deduce later numbers in the sequence from earlier ones).

The MIME requirements can, I believe, be met by having no internal state, and simply searching for a string that does not appear in any of the parts.

function like an LFSR. (They could expose the NSS (P)RNG, but there
is no language standard for it.)

This is irrelevant for Lynx, as it does not do Javascript.

The original requirement is not irrelevant to Lynx, as Lynx can generate MIME multipart form submissions.

David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]