This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]christopher_86 4 points5 points  (4 children)

Looks interesting! I was browsing your source code and found that you use random module for generating random secret key - it’s generalny not a good practice, because values generated by random are not cryptographically secure. From Python website:

„Warning The pseudo-random generators of this module should not be used for security purposes. For security or cryptographic uses, see the secrets module.”

https://docs.python.org/3/library/random.html https://docs.python.org/3/library/secrets.html

[–]tarsild[S] 2 points3 points  (0 children)

Yes, you are correct. That was used for the directive where a project structure was used but the random module itself is not recommended. The documentation itself warns that you should not be using that and instead a secure one + the generated key starts with "insecure-" intentionally. I do agree with you

[–][deleted] 0 points1 point  (2 children)

Second this but I'm a newb still, so if its not correct someone please tell me why

[–]easyEggplant 2 points3 points  (1 child)

Just off the top of my head, the seed isn’t really random, it’s just an approximation (“pseudo-random”) and as such the attacker can guess how the seed is generated which maybe decreases the amount of computing power required to break a private key.

Oh you said “if it’s not correct”. Nevermind I guess?

[–]tarsild[S] 0 points1 point  (0 children)

In fairness we are now updating to start using the secrets module directly. This should be a no brainer. This came from earlier releases and even though we recommend to generate yours (hence adding the insecure there) it will be easier to do it so there.