New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SJCL randomWords generation hardening #346
Comments
First, thanks for letting us know this. I'll follow up via mail as this seems to be a serious matter. |
Hi, I did review this now, too, and shared my findings with @rugk. I am still not a friend of doing a "responsible disclosure" process, since this is free software, not a company. I would prefer if I could share my analysis with you all right away, so that I could get your feedback on it. So far I consider this a low risk, present since the first commit of ZeroBin, but at the request of @rugk I may now not share my reasoning. :-( I will certainly insist we do publish the full details in our reports, once we could agree what needs to be done in this matter. |
More or less by luck/"accident" v1.2 is not affacted by this vulnerability and modern browser are also not affected. |
Hello @cryptolok Thank you again for reporting this. We have just released version 1.2.1 that sets a more reasonable value (10, the maximum supported) and also is compatible again with the affected browser versions (unlike 1.2). The details of our findings can be found in the report on the vulnerability. Fortunately most browsers introduced web crypto API support many years ago. When SJCL finds that API, it uses it as a source of entropy instead. In that case the key is always generated with sufficient entropy. If it doesn't it has to fall back on the collected entropy and the While there are not many such old browsers user anymore, we wanted to still provide at least one version that fixes this issue, before we drop support for such browsers permanently by switching to the web crypto API in the next release. |
The randomWords generation function used from SJCL library in js/privatebin.js:643 has "paranoia" parameter set to 0, which reduces the entropy.
Why to make such choice knowing that enabling "paranoia" wouldn't have a significant impact on speed?
The text was updated successfully, but these errors were encountered: