Skip to content

Masking is not cryptographically secure #1676

New issue
New issue
Closed
dart-archive/web_socket_channel
#335
Closed
Masking is not cryptographically secure#1676
dart-archive/web_socket_channel
#335
Labels
package:web_socket_channel
@danielgrad

Description

@danielgrad
danielgrad
opened on Mar 22, 2024

The random number generator used for masking frames is not cryptographically secure:

https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L28
https://github.com/dart-lang/web_socket_channel/blob/3db86bc0a09e1038a0fa418262c8a92211c5de69/lib/src/copy/web_socket_impl.dart#L508-L514

This is a security concern (CWE-331), and deviates from RFC 6455 section 10.3:

Clients MUST choose a new masking key for each frame, using an
algorithm that cannot be predicted by end applications that provide
data. For example, each masking could be drawn from a
cryptographically strong random number generator.

Metadata

Metadata

Assignees

No one assigned

    Labels

    package:web_socket_channel

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions