-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nonce generation uses insecure random #24
Comments
If this is important to you, I'm happy to accept a PR |
It's not important to me personally, since I don't use OAuth.jl. But it does impact the security of all your users against replay attacks. I'll ping you when julialang has settled on an official recommendation. I am guessing that the amount of affected users and the number of real-world attackers are small enough that this can wait until then, but you are in a better position to judge that. |
Consider this line.
This generates a nonce using the default random, which is Mersenne Twister. MT is not a CSPRNG, i.e. the internal state and hence all past and future random numbers can be extracted from a few random numbers from the stream.
The nonce generation should use a secure random instead. For example,
const CSPRNG = Random.RandomDevice()
andrandstring(CSPRNG, length)
would do the job.Cf general discussion (here)[https://github.com/JuliaLang/julia/issues/32954].
The text was updated successfully, but these errors were encountered: