crypto API isn't used in node.js context

[fedot]

After commit 319dc6e, Node Crypto API isn't used anymore.

I'm not sure if this is critical as v4 is random or pseudo-random based (RFC advise on usage of cryptographic quality random numbers but doesn't require it in any way).

I'm not sure if this is something that planned to be fixed (Math.random is significally faster and this may be a good reason to keep it that way and not to use Crypto API by default).

As for now I'm using options.rng passing function(){ return crypto.randomBytes(16) } as random generator.

[fedot]

It's also important to note that current information in README is incorrect for a more that a year stating that "Cryptographically strong random # generation on supporting platforms" is used, which is not.

Also docs on options.rng are not correct referencing "built-in generators" that no longer exists

[joepie91]

I'm not sure if this is critical

It is, unfortunately. The random data being cryptographically secure, is what prevents malicious users from generating collisions.

The security of UUIDs is thus significantly worse when the random source isn't cryptographically secure - not just when generating random tokens (eg. e-mail verification), but also when, for example, creating UUIDs for items in the database. Depending on exact implementation, that could result in privilege escalation within the application.

I'd recommend using the defunctzombie fork instead, as this version doesn't appear to be actively maintained anymore. The npm package name for the fork is uuid.

[coolaj86]

fixed