- From: Nifty Egg Mitch <mitch@niftyegg.com>
- Date: Sun, 6 Feb 2011 14:30:02 -0800
On Sun, Feb 06, 2011 at 09:04:50AM +0100, Roger H?gensen wrote: > Subject: Re: [whatwg] Cryptographically strong random numbers > On 2011-02-06 04:54, Boris Zbarsky wrote: > >On 2/5/11 10:22 PM, Roger H?gensen wrote: > > > >>This is just my oppinion but... If they need random number generation in > >>their script to be cryptographically secure to be protected from another > >>"spying" script... Good reading -- thanks for the four below links: > >You may want to read these: > > > >https://bugzilla.mozilla.org/show_bug.cgi?id=464071 > >https://bugzilla.mozilla.org/show_bug.cgi?id=475585 > >https://bugzilla.mozilla.org/show_bug.cgi?id=577512 > >https://bugzilla.mozilla.org/show_bug.cgi?id=322529 > > > .... [snip] ..... > Outch yeah, a nice mess there. ..... > > Math.random should be fixed (if implementations are bugged) so that > cross-site tracking is not possible, besides that Math.random should > just be a quick PRNG for generic use. ..... > I think it would be better to ensure it is not named "random" but > "srandom" or "s_random" or "c_random" to avoid any confusion with > Math.random > How about "cryptrnd", anyone? > > I'd hate to see a bunch of apps using cryptographically secure > random numbers/data just because it was called "random", > while in all likelyhood they'd be fine with Math.random instead. Adding crypt* is a bit unsettling. Adding randKnuthLCM, or rand.Algorithm makes more sense. To ignore that Knuth devoted an entire chapter to random numbers is naive. See Chapter 3 of Vol 2. Perhaps someone at RSA could contribute a list of algorithms that are worthy.
Received on Sunday, 6 February 2011 14:30:02 UTC