Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please use a secure PRNG for adding noise to the applications list #32

Closed
jvoisin opened this issue Jun 30, 2018 · 3 comments
Closed

Please use a secure PRNG for adding noise to the applications list #32

jvoisin opened this issue Jun 30, 2018 · 3 comments
Labels
enhancement New feature or request question Further information is requested

Comments

@jvoisin
Copy link

jvoisin commented Jun 30, 2018

Hello,

in the getReports method, the code is using the following snippet:

            // Add some random packages to avoid tracking
            Random rand = new Random(Thread.currentThread().getId());
            int alea = rand.nextInt(120) % 10 + 11;
            for(int i = 0 ; i < alea; i++) {
                int val = rand.nextInt(handles.size());
                packages.add(handles.get(val));
            }

This could lead, at some degrees, a rogue server to be able to do educated guess about what applications are installed or not. It would be cool to use SecureRandom instead.

This is a super-minor issue, feel free to close it with an E_DONTCARE :)
@U039b
Copy link
Contributor

U039b commented Jul 3, 2018

Hi @jvoisin
Even if we use a PNRG, 2 full sync of the list of installed applications will allow any rogue server to remove the noise.

@U039b U039b added the question Further information is requested label Jul 3, 2018
@jvoisin
Copy link
Author

jvoisin commented Jul 5, 2018

Sure, but I think that some users will install exodus, run it, glance at the results, be horrified, remove some of their applications and then remove exodus because it fulfilled its purpose.

For this usecase, using a better PRNG will slightly improve privacy.

@U039b U039b added the enhancement New feature or request label Jul 10, 2018
@ghost ghost mentioned this issue Dec 9, 2020
Merged
@pnu-s
Copy link
Member

pnu-s commented Jan 3, 2022

Fixed by #90

@pnu-s pnu-s closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jvoisin @pnu-s @Schoumi @U039b