I spend a bit of time around the security community also and came across this read today that was a bit unsettling but I thought it was worth sharing all the same.
It did lead me to wonder I’ve never seen a public security person attached to the Dart or Flutter team like I’ve seen with other languages and I was wondering if there was any way of getting some more transparency from the team about what things look like on their side and how things could be improved especially now with lots of talk about Flutter being ready for production and whatnot.
I really would like to hear a statement by the Dart/Flutter team @CraigLabenz
To me the article feels a bit trying to prove a problem where I m not sure there really is one in real world applications.
isn’t 2/3rds of the article talking about how it went wrong in real life? The same thing also happened in the uuid package. I don’t know that’s a fair statement to make.
The very first significant mistake is stating that Dart runs in a VM which only happens in debug and I honestly could care less if there is a security risk while I am running the app inside the debugger.
Would I dream using the Dart random function to implement any secure algorithms? Not in a live time.
How applicable do you see the stated problems for your apps?
I feel like you’re missing the point here that there are a number of real life examples of where this exact issue has caused real issues in real production applications. That isn’t a hypothetical scenario.
These scenarios were possible because developers used the insecure Random function where a secure version exists.
At least one of the first things I recall when I learned about rnd() functions decades ago was that they are only pseudo random. To not verify this when implementing security relevant code is irresponsible but not a problem of Dart or Flutter but the article is framed as if it’s the case
That doesn’t change the fact that any developer working on security code should be aware of pseudo randomness. It’s like that forever because outside of security the pseudo random is totally fine.
And the way this article is written in a way to give the impression that the author found something scandalous which it isn’t. Looking at that he is marketing his skills as security advisor may explain why he wrote it this way.
Sigh… this is an extremely frustrating and circular conversation that doesn’t seem to be going anywhere so I’m going to stop replying to you beyond this for now.
You might not think it’s a problem but others who are I would politely suggest more qualified on the topic would disagree with you.
You can blame developers all you want but it won’t improve or fix the situation.
My main critique is the way this article is framed.
The central point could have been made in a couple of paragraphs referencing that there have been real world risks because of that.
And it’s not that the Random function would do anything different than it’s docs say. If that would be the case I would totally understand the fuss.
BTW I would appreciate not to be lectured in that tone
You once again seem to be very selective with your reading to only support the original point you had started with while somehow managing to ignore that they all agreed that it is in fact a problem and are going to be changing it as a result.
So, no that’s kind of not at all in line with your point that developers should just figure it out for themselves. But I really don’t want to have this argument, it’s a waste of everyone’s time.
Sorry but I could exactly say the same about you.
They agree that it’s a good idea to change it but Lasse clearly makes the point that someone who doesn’t know the problem of pseudo randomness shouldn’t write security relevant code.
It’s far from the scandalous tone of the linked article.
And again you are trying to obtain some higher status by suggesting I would read selectively adding a personal attack which is not appropriate
I’ve had four conversations with you now in a row on four different topics that have all ended the exact same way. I have no interest in having any further. You just seem like a particularly argumentative person to me. Please just leave me alone after I’ve already made it clear I don’t want to get into a back and forth with you any more.
Using contents of this forum for the purposes of training proprietary AI models is forbidden. Only if your AI model is free & open source, go ahead and scrape. Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.