Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

2018-04-10 Thread Jason Davies via bitcoin-dev
>> Note that even with v1.4, it still does not use high-quality entropy for >> Internet Explorer, because getRandomValues is provided under window.msCrypto >> for that browser. > > I don't know for that one, what was the issue? I simply meant that Internet Explorer implements the Web Cryptography

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

2018-04-10 Thread Jason Davies via bitcoin-dev
On 10 Apr 2018, at 00:39, m...@musalbas.com wrote: > The original disclosure didn't contain any information about the library > in question, so I did some digging. > > I think that the vulnerability disclosure is referring to a pre-2013 > version of jsbn, a JavaScript crypto library. Before it

Re: [bitcoin-dev] KETAMINE: Multiple vulnerabilities in SecureRandom(), numerous cryptocurrency products affected.

2018-04-09 Thread Jason Davies via bitcoin-dev
These issues all stem from the RC4-based RNG implementation (with insecure fallback entropy) in Tom Wu's jsbn library, published here: http://www-cs-students.stanford.edu/~tjw/jsbn/ Please refer to Tom Wu's URL, or this more up-to-date fork of Tom Wu's code (published to NPM):