Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixing JavaScript's Broken Random Number Generator (hackaday.com)

Posted by samzenpus on from the the-fix-is-in dept.

szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working version, if you didn't make it that far (perhaps the case with JavaScript devs) you got the bad version of the code whose fix is just now being rolled out.

2 of 136 comments (clear)

  1. Re:Obviously by Lennie · · Score: 5, Interesting

    He was using node.js (which using V8 Javascript engine)

    And he was using it for some security related function (in this case generating id's of sessions).

    Maybe he should have been using a cryptographically strong pseudo-random generator:
    https://nodejs.org/api/crypto....

    Why did they need to 'fix' V8 Math.random () function which everyone knows is not meant for such things ? It even says so in for example the Mozilla documentation (the organisation that created Javascript in the first place):
    "Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security."
    https://developer.mozilla.org/...

    This makes no sense to me.

    --
    New things are always on the horizon
  2. Re:Wait, what? by Lunix+Nutcase · · Score: 4, Interesting

    Well at least knowing that the guy who wrote this shitty PRNG is a designer of Google's Dart gives you one more reason to avoid it the plague.