Session Security and uid2 #932
Comments
|
In practice, pseudoRandomBytes() and randomBytes() are exactly the same on all platforms which matter. The only situation when randomBytes() would block is when the OpenSSL CSPRNG hasn't been seeded with at least 128 bits of entropy. However, OpenSSL automatically seeds itself on startup on Windows (using CryptGenRadom) and on Linux and all unices which support /dev/urandom (using /dev/urandom). So I wouldn't bother about this. PseudoRandomBytes() is just as secure in practice. The uid2 module had other issues when I looked at it before. It doesn't generate characters with uniform distribution (i.e. some characters are more likely to occur than others). |
See coreh/uid2#3, the proposed fix to that doesn't even fix it.
In practice, yes. In theory, and as far as the documentation is concerned, Also TIL Ctrl+Enter Submits the comment. |
With regards to theory, my 2c: On platforms where OpenSSL doesn't auto-seed, the developer already has to implement his own secure seeding mechanism (which usually means an entropy-gathering daemon). Unless this is done, randomBytes() will block forever (or return errors forever, I'm not sure). Whether this is preferable to generating non-secure randoms in these situations, I don't know. |
I'm assuming that means that on said platforms |
Yes. PseudoRandomBytes() would work, but be predictable. RandomBytes() wouldn't work at all. My personal opinion is that the best course of action would be to keep working, but print a scary warning message on stderr that the random generator needs to be seeded. The proper place to implement this would be Node core, though. |
Definitely. On a related note, it seems like the documentation should reflect the nuances for |
|
@skeggse what are you looking to do? i don't think this is an issue because we're probably talking about 10e-30 vs 10e-32 chance of collision (i don't know the exact numbers). most of the current issues in connect are sessions. i'd prefer if someone created a robust and customizable session module and have connect use it with sane defaults. would get rid of so many issues! |
My wish is that we used the tool that makes sense from a documentation perspective. As indutny says, "we might want to change implementation in future." Relying on undocumented functionality in the code hardly seems like a good idea.
Now you're talking. I'll open up a new issue for that, instead. Maybe we can discuss what the new module should do and look like--plenty of issues to draw inspiration from! |
@visionmedia switched the
csrfandsessionmiddleware over to theuid2module in 35c8f7b. Unless I'm mistaken, theuid2module usescrypto.pseudoRandomBytesto generate the identifier, which according to the Node.js crypto documentation "Generates non-cryptographically strong pseudo-random data."It seems like sessions should be cryptographically random, as they may protect highly sensitive information. Sometimes sessions contain identifiers like IP addresses which can mitigate session hijacking, but an IP address is not necessarily unique to each user.
Looking at some related stackoverflow material, it looks like it might not matter a whole lot, but for the sake of forward-compatibility it makes the most sense to use
randomBytes, notpseudoRandomBytes.@pesho in #881:
I guess what I'm saying is, it doesn't look like the
uid2module uses the rightcryptofunction, but it's not on a forum that makes it easy to discuss this issue (okay, well it does exist on GitHub, but it's not active). Furthermore, theuid2module does not purport to generate secure identifiers, so it might not be the right fit, especially because usingpseudoRandomByteswas a conscious decision.At least for sessions, I don't think it makes sense use
uid2, and we should use "something else" instead.The text was updated successfully, but these errors were encountered: