[webkit-dev] Blacklisting some sqlite functions
cevans at chromium.org
Thu Jan 7 15:48:28 PST 2010
On Thu, Jan 7, 2010 at 11:13 AM, Adam Barth <abarth at webkit.org> wrote:
> On Thu, Jan 7, 2010 at 10:02 AM, Brady Eidson <beidson at apple.com> wrote:
> > Are random() and randomblob() security risks? Could you point us to a
> > source explaining this?
> They're fairly low risk, but you tend to leak a surprising amount of
> information when you expose non-cryptographic random sources to
> attackers. We've already gotten a rather detailed report of the leaks
> from Math.random, for example. If these functions are useful, we can
> keep them, but it does cost some amount of attack surface.
[reposting with my @chromium.org address]
Math.random(). It makes a lot of things simpler in the future. Perhaps one
day all the browsers will adopt a standard secure random API.
I think Apple Safari was the only browser to adjust their Math.random()
implementation based on this report?
It's not serious at all, but is interesting.
Anyway, I think we get better options for the future by not randomly adding
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev