[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23086 [Obfuscation/BridgeDB]: GIMP Captcha uses insecure random number generator

Subject: Re: [tor-bugs] #23086 [Obfuscation/BridgeDB]: GIMP Captcha uses insecure random number generator
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 08 Aug 2017 09:35:38 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 08 Aug 2017 05:35:49 -0400
In-reply-to: <051.753a9b62f67e8316af1b16123c493bd8@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.753a9b62f67e8316af1b16123c493bd8@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#23086: GIMP Captcha uses insecure random number generator
----------------------------------+--------------------------
 Reporter:  cypherpunks           |          Owner:  isis
     Type:  defect                |         Status:  reopened
 Priority:  Medium                |      Milestone:
Component:  Obfuscation/BridgeDB  |        Version:
 Severity:  Normal                |     Resolution:
 Keywords:                        |  Actual Points:
Parent ID:                        |         Points:
 Reviewer:                        |        Sponsor:
----------------------------------+--------------------------
Changes (by cypherpunks):

 * status:  closed => reopened
 * resolution:  not a bug =>


Comment:

 1)
 You don't use /dev/urandom in your captcha generation. You use ordinary
 random. I don't know if GIMP functions internals use CSPRNG, but I think
 they neither do.

 >Almost all module functions depend on the basic function random(), which
 generates a random float uniformly in the semi-open range [0.0, 1.0).
 Python uses the Mersenne Twister as the core generator.

 MT is insecure.

 >2) There's no need for a CSPRNG when randomly munging pixels.

 If the bias in the distribution the captcha parameters is exploitable (it
 is if the PRNG is not secure) there are odds to solve the captcha (with or
 without OCR) non-negligible better than if it was truly random. You are a
 cryptologist, you should understand that.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23086#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #23086 [Obfuscation/BridgeDB]: GIMP Captcha uses insecure random number generator
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #23223 [Core Tor/Tor]: test: Fix prop224 hs unit tests
Next by Author: Re: [tor-bugs] #23166 [Applications/Tor Browser]: Add Felix's obfs4 bridges to Tor Browser's defaults
Previous by thread: Re: [tor-bugs] #23086 [Obfuscation/BridgeDB]: GIMP Captcha uses insecure random number generator
Next by thread: Re: [tor-bugs] #23086 [Obfuscation/BridgeDB]: GIMP Captcha uses insecure random number generator
Index(es):
- Author
- Thread