Closed
Bug 1484298
Opened 7 years ago
Closed 4 years ago
Update the RNG in FuzzyFox to something better
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: tjr, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog])
In Bug 1432429 we're (probably) landing it with rand() as the underlying RNG. That's pretty cruddy.
Best case we would use a cryptographically secure RNG, like we do for Reduce Timer Precision. However that's probably going to be prohibitively expensive since, unlike RTP, we run FuzzyFox all the time very frequently.
We could use a decent hash function (like Murmur Hash) that is not secure though. It would be pretty difficult to exploit a non-cryptographically secure hash, so we might be able to get away with it.
|
||
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
|
||
Comment 1•7 years ago
|
||
You can seed the new RNG with MFBT's new RandomUint64() function, which was extracted (in bug 1402282) from SpiderMonkey's code that called the operating system's secure RNG.
|
Reporter | |
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•