[Freedombox-discuss] secure UUIDs
Jonas Smedegaard
dr at jones.dk
Sat Jul 20 18:38:51 UTC 2013
Hi fellow FreedomBox developers,
I just stumbled upon the following potentially interesting for someone
here to investigate further:
Perl module [Data::UUID::MT] includes in its documentation a comparison
between Perl-based UUID generators, including weak uses of random data
and details like "For libuuid based modules, Version 1 UUIDs will
include the actual MAC address, if available".
[Data::UUID::MT]: https://metacpan.org/module/Data::UUID::MT
Perhaps an interesting task to investigate...:
* Is that documentation accurate and up-to-date?
* How do non-Perl UUID generators compare (e.g. libuuid bindings)?
I do understand that use of MAC addresses is part of the RFC standard
and is legal to circumvent. My concern here is that it sounds like the
quite common libuuid may leak MAC address by _default_ i.e. need special
care at each use that may later be exposed to external hosts.
Cc'ing Daniel explicitly as he has requested in the past to be nudged
gently regarding security-related issues :-)
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130720/42eeb3c4/attachment.sig>
More information about the Freedombox-discuss
mailing list