On Thu, Jan 7, 2010 at 10:02 AM, Brady Eidson <[email protected]> wrote: > Are random() and randomblob() security risks? Could you point us to a > source explaining this?
They're fairly low risk, but you tend to leak a surprising amount of information when you expose non-cryptographic random sources to attackers. We've already gotten a rather detailed report of the leaks from Math.random, for example. If these functions are useful, we can keep them, but it does cost some amount of attack surface. Adam _______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
