Nice find. Interestingly it seems c-ares uses urandom (random source) as a seed for an rc4 based counter (source/source2), apparently for DNS transaction IDs.
Isn’t rc4 especially weak when using the first part of the stream that comes out of it (not to mention, apparently, the statistical biases) ?
I vaguely recall OpenBSD switching to ChaChat20 for their implementation of their “arc4random” CSPRNG primitive at one point.
I’m still not sure how broken rc4 is for use like this. In crypto speak, it’s totally broken. Does that mean somebody get you to generate and then collect enough DNS traffic to analyze effectively? I don’t know.
I wouldn’t use rc4, but I guess I wouldn’t run screaming either. Your browser will still connect to your bank using rc4 without a warning.
Two easy fixes they could do. First, discard the first 1024 bytes of the stream. Second, rekey somewhat frequently. But swapping in chacha is basically equally easy/difficult. There’s no reason to keep fixing rc4 random based generators.
Nice find. Interestingly it seems c-ares uses urandom (random source) as a seed for an rc4 based counter (source/source2), apparently for DNS transaction IDs.
Isn’t rc4 especially weak when using the first part of the stream that comes out of it (not to mention, apparently, the statistical biases) ?
I vaguely recall OpenBSD switching to ChaChat20 for their implementation of their “arc4random” CSPRNG primitive at one point.
I’m still not sure how broken rc4 is for use like this. In crypto speak, it’s totally broken. Does that mean somebody get you to generate and then collect enough DNS traffic to analyze effectively? I don’t know.
I wouldn’t use rc4, but I guess I wouldn’t run screaming either. Your browser will still connect to your bank using rc4 without a warning.
Two easy fixes they could do. First, discard the first 1024 bytes of the stream. Second, rekey somewhat frequently. But swapping in chacha is basically equally easy/difficult. There’s no reason to keep fixing rc4 random based generators.