[webkit-dev] Blacklisting some sqlite functions
Adam Barth
abarth at webkit.org
Thu Jan 7 11:13:28 PST 2010
On Thu, Jan 7, 2010 at 10:02 AM, Brady Eidson <beidson at apple.com> wrote:
> Are random() and randomblob() security risks? Could you point us to a
> source explaining this?
They're fairly low risk, but you tend to leak a surprising amount of
information when you expose non-cryptographic random sources to
attackers. We've already gotten a rather detailed report of the leaks
from Math.random, for example. If these functions are useful, we can
keep them, but it does cost some amount of attack surface.
Adam
More information about the webkit-dev
mailing list