Agreed.
On Fri, Dec 27, 2013 at 8:40 AM, Daniel Kulp <dk...@apache.org> wrote: > > > I’m really against committing this. > > It involves flipping from Random to SecureRandom for a bunch of places that > do not require or need the security aspects of SecrureRandom. Randomly > selecting the next server for load balancing and the redelivery stuff > certainly does NOT require the full secure randomness. > > However, using SecureRandom in theses cases would then start consuming system > entropy that could then be needed for cases where it IS required, like > cryptography. Without that entropy available, it could severely slow down > or hang some of the cryptography cases. > > The veracode notice explicitely says: > >> If this random number is used where security is a concern, such as >> generating a session key or session identifier > > > which is NOT the case here. Thus, this is not a concern. > > > Dan > > > > On Dec 26, 2013, at 7:47 AM, MrLion <g...@git.apache.org> wrote: > >> GitHub user MrLion opened a pull request: >> >> https://github.com/apache/camel/pull/80 >> >> VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID 331) >> >> During Veracode scan of our application we discover several warnings in >> Camel. Please review our fix and apply it if it make sance. >> >> Quote from Veracode report below: >> Insufficient Entropy (CWE ID 331)(7 flaws) >> Description >> Standard random number generators do not provide a sufficient amount of >> entropy when used for security purposes. >> Attackers can brute force the output of pseudorandom number generators >> such as rand(). >> Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of >> code. 1 day to fix. >> Recommendations >> If this random number is used where security is a concern, such as >> generating a session key or session identifier, use a trusted cryptographic >> random number generator instead. These can be found on the Windows platform >> in the >> CryptoAPI or in an open source library such as OpenSSL. >> >> You can merge this pull request into a Git repository by running: >> >> $ git pull https://github.com/engagepoint/camel patch-ENT-Entropy >> >> Alternatively you can review and apply these changes as the patch at: >> >> https://github.com/apache/camel/pull/80.patch >> >> ---- >> commit de7766f2451a7013b54c285f378bf7cbfef1d766 >> Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> >> Date: 2013-12-20T14:43:55Z >> >> VERACODE-659: fix of CWE ID 331 insufficient entropy in RandomLoadBalancer >> >> commit a1920ad74c7f10ce3148482bd7d033b530a3e681 >> Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> >> Date: 2013-12-20T14:49:43Z >> >> VERACODE-660: fix of CWE ID 331 insufficient entropy in RedeliveryPolicy >> >> commit a3ea9952d612a7214815d5ea3c2102fd7819eb6d >> Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> >> Date: 2013-12-20T14:52:50Z >> >> VERACODE-663: fix of CWE ID 331 insufficient entropy in >> WeightedRandomLoadBalancer >> >> commit fa7a52fe6ce05a26c3826161fc8c3e42eebb2861 >> Author: leonid.marushevskiy <leonid.marushevs...@engagepoint.com> >> Date: 2013-12-20T14:56:10Z >> >> VERACODE-654: fix of CWE ID 331 insufficient entropy in FileUtil >> >> ---- >> > > -- > Daniel Kulp > dk...@apache.org - http://dankulp.com/blog > Talend Community Coder - http://coders.talend.com >
