This is the question I ask every single time I read about anything in security. It feels like there's just SO MANY THINGS wrong about every damn thing now the only way I can figure out what I have to really worry about or focus on is anything with a PRACTICAL attack that's easily automated and remotely exploitable.
Cryptographic attacks become better, some of them become practical. RC4 attacks were not considered practical until recently, and now everyone runs with their heads on fire replacing it.
The best answer is to listen to what security people say. When they have a practical attack on something it is already too late.
Security experts, by in large, only care about academics and care very little about usability, so I do not trust them unless they give me specific scenarios where I am in danger.
Just to clarify what I mean; we have to make decisions based on tradeoffs. Having the most secure password possible is not the only thing that matters. So "trust security experts" is not a good response; I need to know threat levels so I can make informed decisions. I'm not just going to do the same thing a security enthusiast does because I value different things, to different degrees.
Looks like you didn't understand the sadness of the issue I was reporting. The author of the software constructed his own random number generator from two primitives: Salsa20 stream generator and Math.random. The last part is what makes this PRNG theoretically insecure: because Math.random is not guaranteed to give cryptographically secure random numbers, thus, theoretically, the generated passwords can be guessed. (The fact that there are no current attacks on current implementations of Math.random in browsers doesn't mean that we won't get them in the future.) The secure alternative to author's PRNG is ~one line of code: window.crypto.getRandomBytes. There are no tradeoffs involved! On the contrary, the author's insecure construction is more difficult to write than the secure one.
(BTW, while we here argue about security experts, the author said "Thank you, I'll replace it of course.")
This is what I'm talking about. You, a security enthusiast, are only interested in the technical security details. You respond to a comment about tradeoffs with details on the bug.
I don't care about why the bug happened or how easy it is/isn't to fix. I care about whether the existence of the bug is something I should be so concerned about as to not use the software. In order to gauge that, I need a little more info about the threat level.
>I don't care about why the bug happened or how easy it is/isn't to fix. I care about whether the existence of the bug is something I should be so concerned about as to not use the software. In order to gauge that, I need a little more info about the threat level.
Threat level is 0%. No currently known attacks exist. This threat level immediately goes to 100% when a practical attack is discovered. There is no guarantee that a practical attack exists that hasn't been brought to academic or mainstream attention (e.g some cracker has a practical attack that they're keeping under wraps). By the time the threat level hits 100% the cracker may have already broken into your account(s) before you even hear about the attack.
Therefore when something is shown that "attacking it is possible" you can make one of two assumptions
1) No practical attack exists and you'll be safe until it exists
2) A practical attack already exists and it is only a matter of time until you get pwned
Rather than worry about whether or not a practical attack already or will one day exist, I'd use cryptography that hasn't been shown to be broken.
This comment doesn't make sense. All attacks are not equal. Some require physical access; some do not. Some require seed data; some do not. What exactly are you talking about here?
This is why security people are so frustrating to talk to; you only talk in extremes.
> Rather than worry about whether or not a practical attack already or will one day exist, I'd use cryptography that hasn't been shown to be broken.
That's not what I'm worried about. I'm worried about given that they do exist what is the risk to me? What is the likelihood that my account has been broken into?
>This comment doesn't make sense. All attacks are not equal. Some require physical access; some do not. Some require seed data; some do not. What exactly are you talking about here?
I'm not a security expert, more of a hobbyist. So I'll let someone else quantify potential specifics. To my understanding, they would not require physical access and would be able to guess any passwords generated (once an attack has been found/created).
>That's not what I'm worried about. I'm worried about given that they do exist what is the risk to me? What is the likelihood that my account has been broken into?
The chances of 0 becoming 1 are not quantifiable because it requires knowing unknowns. It is, however, non-zero. For a small list of unknowns:
1) Who knows about the attack
2) How practical is the attack?
3) What software/websites/people are they choosing to attack
4) Are you even using any of the software/websites that are being attacked?
5) Are they going to accept cracking <10%~ accounts if they can do so in <24 hours or is their goal to crack >50%~ accounts? Many crackers only care to scrape the bottom of a barrel. What are the chances you were in the part of the barrel they scraped?
I assume the worst because being compromised is a zero-sum game. I've been compromised or I haven't. Therefore my variables are:
Everyone. Extremely. Only things I use. Of course. Doesn't matter, I'm in the targeted group.
I wouldn't make any bets on security through obscurity.
Getting my reddit account hacked is not the end of my life. Hell, getting my bank account hacked is not the end of my life. I don't want those things to happen, I will take precautions to prevent it.
But too often security people talk as though it's the only thing I should care about. And it's not, I care about other things too, to varying degrees.
So, to make an informed decision, I need to know more than just that Math.random() is insecure. Knowing that an attack wouldn't require physical access is the type of information I'm interested in. So thank you for that.
I understand completely. I feel most people's threat models stop even before 'threat has physical access'. The chances of both your computer being stolen and the person who stole it being tech-savvy enough [0] to break into things may as well be 0 for anyone who isn't the target of a state actor or working in a security field. At that point the only people who care are the people who care about security or slim chances like that occurring. :)
[0] Or the thief selling it to someone who is tech savvy enough. Still practically 0 for most everyone.
It's (relatively) easy to verify a software against a strict security definition and decide if it meets the definition or not.
It's incredibly difficult (I'd say "impossible", but I'm being pedantic for now) to check a flaw against such strict definition and check it against all possible use cases and all possible inputs and decide if one of them will lead to bad consequences.
Thus, if there's any practical attack? How the hell would I or anybody else know. We can only know a resounding "yes" after you get owned, nobody can ever tell you a honest "no" to this question.
I feel like your conclusion is the opposite of proper.
Proper would be: don't roll your own crypto, use what professionals created, and only in the way they document it to be used. When in doubt, email tptacek or another professional he would point out.
I don't know of any published attacks on XorShift128+, which is used in most browsers for Math.random. What I know is that it's not a cryptographically secure PRNG, though, so all you have to do is sit and wait for one ;-)
> The RandomSource.getRandomValues() method lets you get cryptographically random values. The array given as the parameter is filled with random numbers (random in its cryptographic meaning).
> To guarantee enough performance, implementations are not using a truly random number generator, but they are using a pseudo-random number generator seeded with a value with enough entropy. The PRNG used differs from one implementation to the other but is suitable for cryptographic usages. Implementations are also required to use a seed with enough entropy, like a system-level entropy source.
EDIT: Not that I'm justifying using Math.random, I just don't see why you so strongly recommend against using this tool.