[whatwg] Cryptographically strong random numbers
bzbarsky at MIT.EDU
Sat Feb 5 19:54:35 PST 2011
On 2/5/11 10:22 PM, Roger Hågensen wrote:
> The "bad script" is already inside the house anyway, but just in the
> other room right?
Whatever that means.
> This is just my oppinion but... If they need random number generation in
> their script to be cryptographically secure to be protected from another
> "spying" script...
> then they are doing it wrong. Use HTTPS, issue solved right?
No. Why would it be?
> I'm kinda intrigued about the people you've seen asking, and what exactly it is
> they are coding if that is an issue. *laughs*
You may want to read these:
and then you'll know everything I know about the problem. ;)
> Besides, isn't there several things (by WHATWG even) that prevents such
> spying or even makes it impossible?
Do read the above bug reports.
> But with the multithreaded and multicore CPU's, clock variations, and so
> on, trying to exploit the pattern in say a Mersienne Twister PRNG
Which is a heck of a lot harder to guess than the PRNG Math.random
actually uses in Gecko, fwiw.
> by pulling lots of random numbers
> would either A. not work or B. cause a suspicious 100% cpu use on a core.
Suspicious to whom? Most users don't watch their CPU usage; they have
better things to do with their time!
> And don't forget that browsers like Chrome runs each tab in it's own
> process, which means the PRNG may not share the seed at all with another
Well, yes, that's another approach to the Math.random problems. Do read
the above bug reports.
More information about the whatwg