On Wed, Dec 12, 2012 at 12:39 PM, Salz, Rich <rs...@akamai.com> wrote: > Until someone breaks the website, spoofs it, buys out the owner, etc. > > Q2.4: Are the numbers available in a secure fashion? > > Yes, since April 2007 you can access the server via https://www.random.org/ > > I should probably note that while fetching the numbers via secure HTTP would > protect them from being observed while in transit, anyone genuinely concerned > with security should not trust anyone else (including RANDOM.ORG) to generate > their cryptographic keys. > Yeah, we need a fingerpaint program for all those mobile devices (seriously!). Upon first boot (or after reset), the user has to finger paint something to get the RNG/PRNG some entropy. (http://groups.google.com/group/android-security-discuss/browse_thread/thread/71c6ab0081c70e9c)
Also relevant: "When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography," www.isoc.org/isoc/conferences/ndss/10/pdf/15.pdf. Hedging extracts entropy from the peer during key exchange and uses the extracted entropy to improve the localhost's state. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
