Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better cryptographic security for Node.js #4

Open
TimothyGu opened this issue Jan 23, 2015 · 1 comment
Open

Better cryptographic security for Node.js #4

TimothyGu opened this issue Jan 23, 2015 · 1 comment

Comments

@TimothyGu
Copy link
Collaborator

Currently, the autoseed() function returns the following as randomly-generated seed:

    return [+new Date, GLOBAL, GLOBAL.navigator && GLOBAL.navigator.plugins,
            GLOBAL.screen, tostring(pool)];

This is nowhere near secure, probably even Math.random() is better than that when entropy is not enabled.

Node.js provides crypto.randomBytes() which is supposed to be "cryptographically strong pseudo-random." So why not add that as an option?
@ForbesLindesay
Copy link
Owner

Because this will never be cryptographically secure. Probably we should just remove autoseed entirely. There is no good reason to use seed-random with a random seed. The whole purpose is to have reproducible tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ForbesLindesay @TimothyGu