Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Masking is not cryptographically secure #1676

Closed
danielgrad opened this issue Mar 22, 2024 · 1 comment · Fixed by dart-lang/web_socket_channel#335
Closed

Masking is not cryptographically secure #1676

danielgrad opened this issue Mar 22, 2024 · 1 comment · Fixed by dart-lang/web_socket_channel#335
Labels
package:web_socket_channel

Comments

@danielgrad
Copy link
Contributor

The random number generator used for masking frames is not cryptographically secure:

https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L28
https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L508-L514

This is a security concern (CWE-331), and deviates from RFC 6455 section 10.3:

Clients MUST choose a new masking key for each frame, using an
algorithm that cannot be predicted by end applications that provide
data. For example, each masking could be drawn from a
cryptographically strong random number generator.
@kevmoo kevmoo mentioned this issue Mar 22, 2024
Merged
@brianquinlan
Copy link
Collaborator

This has been fixed in dart:io for over 7 years but it looks like the change never made it here despite the last import being 6 years ago.

kevmoo referenced this issue in dart-lang/web_socket_channel Apr 4, 2024
@danielgrad
use secure random number generator (#334) (#335)
ced3a37
@brianquinlan brianquinlan mentioned this issue Apr 11, 2024
Merged
1 task
mosuem referenced this issue Dec 11, 2024
@danielgrad
use secure random number generator (dart-lang/web_socket_channel#334) (
ccfa26f 
…dart-lang/web_socket_channel#335)
@mosuem mosuem transferred this issue from dart-lang/web_socket_channel Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
package:web_socket_channel
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use secure random number generator
3 participants
@danielgrad @brianquinlan @mosuem