Closed Bug 715426 Opened 14 years ago Closed 13 years ago

Make Math.random() more secure; have Firefox collect entropy at startup

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
9 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: riptide.tempora, Unassigned)

Details

(Whiteboard: [dupeme])

This is a two-part request: First, have firefox.exe collect at least 32 bytes (256 bits) of entropy at startup starting with the most secure source and moving down. (For example: First, through OpenSSL; if that fails, /dev/urandom if it exists; and so on and so forth.) Second, upgrade Math.random() to use this entropy in the seeding process of pseudorandom number generation. Optionally: Add a method to the Math object that allows user scripts to request a reseed from firefox's entropy collection.
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Whiteboard: [dupeme]
> Second, upgrade Math.random() to use this entropy in the seeding process of pseudorandom > number generation. The random number generator for Math.random() needs to be reseeded on every page, subframe, etc (more precisely, they have independent generators, that are all independently seeded). So collecting some entropy just at startup won't cut it. Why is this even desirable? Have you read the existing bugs about Math.random algorithms and seeding?
I think this is a WONTFIX, see bug 440046
This is probably also not a good idea because entropy collection can be very expensive.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.