HTTP error "301 Permanently Moved" used as seed for random number

crowning · Jun 2, 2015

http://www.theguardian.com/technology/2015/jun/01/bitcoin-app-critical-update-bug-crypto-breakdown

TL;DR: when Blockchain's Bitcoin app for Android fails to internally create a random number it queries the website random.org.

random.org changed the protocol from HTTP(

) to HTTPS and the app got HTTP error "301 Permanently Moved" EACH single time as seed for the next random number, thus creating always the same wallet address.

Sub-Ether · Jun 3, 2015

Am surprised they even pull a random number off a website, surely thats an attack vector for a hacker, how hard can it be to generate a random number with an advanced cpu?!

crowning · Jun 3, 2015

Sub-Ether said:
Am surprised they even pull a random number off a website, surely thats an attack vector for a hacker

That's why I put the

after the HTTP....HTTPS is a bit better in this regard.

how hard can it be to generate a random number with an advanced cpu?!

Very!
Almost impossible...

Sub-Ether · Jun 4, 2015

crowning said:
That's why I put the

after the HTTP....HTTPS is a bit better in this regard.

Very!
Almost impossible...

Ok, I meant pseudo random :grin:

Sub-Ether · Jun 4, 2015

crowning said:
Almost impossible...

This is how I would generate white noise, and then would simply use an analogue to digital converter to produce a random number.
(zener diodes produce 'shot' noise)

Edit: Lol, I just noticed they had that idea already but for quantum keys!
http://www.iasj.net/iasj?func=fulltext&aId=85239

HTTP error "301 Permanently Moved" used as seed for random number

crowning

Well-known member

Sub-Ether

Well-known member

crowning

Well-known member

Sub-Ether

Well-known member

Sub-Ether

Well-known member