Using weak cypto to generate session ids.

[sfdc-ca]

Please read first!

Please use discuss-webrtc for general technical discussions and questions.

• [ ] I have provided steps to reproduce (e.g. a link to a jsfiddle)
• [ ] I have provided browser name, version and adapter.js version
• [ ] This issue only happens when adapter.js is used

Note: If the checkboxes above are not checked (which you do after the issue is posted), the issue will be closed.

Versions affected

Browser name including version (e.g. Chrome 64.0.3282.119)

adapter.js (e.g. 6.1.0)

Description

SDPUtils.generateSessionId () appears to use weak cypto

Steps to reproduce

Visit https://github.com/webrtcHacks/adapter/blob/8895ce9ab1fdbdcd3ac5215fde34433ac9c4ce9d/release/adapter.js#L5467

Expected results

not use math random use a cypto library

Actual results

[fippo]

This should have been filed in the sdp package?

The code has a comment about this not following the specification, however the specification only recommends and does not mandate cryptographically secure session ids. I haven't seen anyone actually using the session id in a way that requires basic randomness even.

[fippo]

edge shim is gone from the main distribution and lacks feedback on why this is an issue.