[Webkit-unassigned] [Bug 54167] REGRESSION(r78149): Return value of read() shouldn't be ignored.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 10 13:09:09 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=54167
--- Comment #9 from Adam Barth <abarth at webkit.org> 2011-02-10 13:09:09 PST ---
(In reply to comment #8)
> Adam, I'm still curious about your thoughts on the issue of Web content abusing randomness source, and thus affecting other pages (and even other processes?!). Is there a rate limit or some other protection against that?
Access to OS randomness is mediated by a cryptographic PRNG in WTF. There shouldn't be a problem with sharing the crypto PRNG with other web pages. If there was, that would be an attack on RC4, and we'd have bigger problems!
Now, there's the question of whether it's dangerous to let web pages pull from OS randomness, even mediated by a PRNG. I don't think that's overly dangerous. In many common scenarios, web pages can already pull from OS randomness. For example, the <keygen> element lets you generate certificates, which requires a bunch of OS randomness. As another example, WTF::randomNumber backends to arc4random on Mac, which backends to /dev/urandom. To the extent that web pages can cause WebKit to call WTF::randomNumber, they can already convince us to extract randomness from the OS.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list