-
-
Notifications
You must be signed in to change notification settings - Fork 879
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto API isn't used in node.js context #108
Comments
It's also important to note that current information in README is incorrect for a more that a year stating that "Cryptographically strong random # generation on supporting platforms" is used, which is not. Also docs on |
It is, unfortunately. The random data being cryptographically secure, is what prevents malicious users from generating collisions. The security of UUIDs is thus significantly worse when the random source isn't cryptographically secure - not just when generating random tokens (eg. e-mail verification), but also when, for example, creating UUIDs for items in the database. Depending on exact implementation, that could result in privilege escalation within the application. I'd recommend using the defunctzombie fork instead, as this version doesn't appear to be actively maintained anymore. The npm package name for the fork is |
fixed |
After commit 319dc6e, Node Crypto API isn't used anymore.
I'm not sure if this is critical as v4 is random or pseudo-random based (RFC advise on usage of cryptographic quality random numbers but doesn't require it in any way).
I'm not sure if this is something that planned to be fixed (
Math.random
is significally faster and this may be a good reason to keep it that way and not to use Crypto API by default).As for now I'm using
options.rng
passingfunction(){ return crypto.randomBytes(16) }
as random generator.The text was updated successfully, but these errors were encountered: