Use of synchronous crypto.randomBytes() not recommended

opentrace-community / opentrace-cloud-functions

OpenTrace Cloud Functions. Reference implementation of the BlueTrace protocol.

https://bluetrace.io

GNU General Public License v3.0

273 stars 121 forks source link

Use of synchronous crypto.randomBytes() not recommended #33

Closed mashbu closed 4 years ago

mashbu commented 4 years ago

I believe the use of the synchronous version of crypto.randomBytes() in a server context to generate the IV is not recommended. https://nodejs.org/uk/docs/guides/dont-block-the-event-loop/#blocking-the-event-loop-node-js-core-modules

The synchronous version can block the Event Loop and a malicious actor can repeatedly request TempIDs resulting in a possible DOS attack.

qtangs commented 4 years ago

What you're referring to is relevant to the case of a traditional server setup where 1 server (or a cluster of servers) handles all requests. In this case, we're using Cloud Function, each execution is independent of all other executions.

mashbu commented 4 years ago

ah that makes sense. thank you.