W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2011

[whatwg] Cryptographically strong random numbers

From: Glenn Maynard <glenn@zewt.org>
Date: Sat, 5 Feb 2011 23:21:43 -0500
Message-ID: <AANLkTimnpHo-eANqgdy5fvD3z+h5ijkeXe4X82D_xhEN@mail.gmail.com>
On Sat, Feb 5, 2011 at 11:07 PM, Cedric Vivier <cedricv at neonux.com> wrote:

> read(FD("/dev/random"), PTR(arraybufferview->data),
> arraybufferview->byteLength)

More accurately, /dev/urandom, since this is a synchronous API that
shouldn't block.  This should be made explicit if this gets specced.

I thought about suggesting a /dev/random-like interface earlier--one which
reads from a real, blocking entropy source (like /dev/random) with an async
API.  However, on examination /dev/urandom is apparently good enough even
for ssh-keygen, so I'm guessing that's unnecessary.  (It could also cause
other problems, eg. allowing webpages to flush a user's kernel's entropy
buffer and causing separate pages to compete for entropy data.)

Glenn Maynard
Received on Saturday, 5 February 2011 20:21:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:30 UTC