[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Predictable Math.random() in browsers
From:       Florian Weimer <fw () deneb ! enyo ! de>
Date:       2009-06-09 11:11:35
Message-ID: 87y6s1d5lk.fsf () mid ! deneb ! enyo ! de
[Download RAW message or body]

<http://www.trusteer.com/temporary-user-tracking-in-major-browsers>
describes what essentially is a weakness in Math.random()---it's
predictable and its state is shared across domains.

Contrary to the report, I'm more worried about the general
consequences of weak random numbers.  Browsers should probably use a
stronger PRNG which doesn't leak its state, so that the shared state
doesn't matter.
[prev in list] [next in list] [prev in thread] [next in thread]