- From: Roger Hågensen <rescator@emsai.net>
- Date: Sun, 06 Feb 2011 04:22:39 +0100
On 2011-02-06 03:34, Boris Zbarsky wrote: > The context in which I've seen people ask for cryptographically secure > Math.random are cases where one script can tell what random numbers > another script got by examining the sequence of random numbers it's > getting itself. But I was never told what that "other script" was > doing, only that it wanted its random numbers to be unguessable. Hmm! A hostile script/cross-site exploit? But if a script is running "that close" to another script, isn't the guessing of the other script's random numbers the least of your worries? The "bad script" is already inside the house anyway, but just in the other room right? It kinda reminds me of Raymond Chen at MicroSoft. Just Google the following site:msdn.com It rather involved being on the other side of this airtight hatchway Kind reminds me of some of those stories. I assume they are worried about two tabs or an iframe in a page, and a "bad" script is trying to figure out the random numbers another script has. This is just my oppinion but... If they need random number generation in their script to be cryptographically secure to be protected from another "spying" script... then they are doing it wrong. Use HTTPS, issue solved right? I'm kinda intrigued about the people you've seen asking, and what exactly it is they are coding if that is an issue. *laughs* Besides, isn't there several things (by WHATWG even) that prevents such spying or even makes it impossible? I have yet to hear of any actual panic regarding this, the same "issue" is theoretically know with EXE's as well. But with the multithreaded and multicore CPU's, clock variations, and so on, trying to exploit the pattern in say a Mersienne Twister PRNG by pulling lots of random numbers would either A. not work or B. cause a suspicious 100% cpu use on a core. And don't forget that browsers like Chrome runs each tab in it's own process, which means the PRNG may not share the seed at all with another tab (I'm guessing pretty surely that each tab HAS it's own seed). Besides, social engineering has a much higher success rate than this so... Would be nice if some crypto/security experts popped their heads in about now though, in particular about the float question in previous posts :) -- Roger "Rescator" H?gensen. Freelancer - http://www.EmSai.net/
Received on Saturday, 5 February 2011 19:22:39 UTC