hello, it has been discovered that all of the major web browsers use a predictable pseudo-random number generator (PRNG). please see reference [0]. the robust solution is to switch to a provably unpredictable PRNG such as Blum Blum Shub [1,2]. [0] http://www.trusteer.com/temporary-user-tracking-in-major-browsers [1] Lenore Blum, Manual Blum, and Michael Shub, "A Simple Unpredictable Pseudo-Random Number Generator," SIAM Journal on Computing, volume 15, pages 364-383, May 1986. [2] http://rng.doesntexist.org/gmpbbs
this is already publicly disclosed, so there is no reason to restrict access to this report. however, it seems i can't uncheck the box to do that...
I have unchecked the box for you.
This is only a problem on Windows at the moment, where we found the existing cryptographically secure PRNG to be a hefty performance regression on some tests (I believe it was the JS iBench test). Mac OS uses arc4random for all random numbers, which I believe is suitable, and is noted in the paper. I think we should probably just include arc4random in the tree and call it a day.
the paper does not mention webkit on linux. what is the status of the PRNG there?
<rdar://problem/22839305>
Dupe: Bug 41868: [JSC] Math.random is predictable which may lead to cross-domain information leakage and temporary user tracking attacks *** This bug has been marked as a duplicate of bug 41868 ***