[tptacek]

There have been basically no practical attacks on the LRNG or on Windows CryptGenRandom and its subsequents over the last 20+ years. People have gone of out of their way to build userspace RNGs and blown their toes off, but getrandom/urandom have been rock solid.

I think "don't use Mersenne Twister as your RNG" is a much safer bit of load-bearing advice than "use precisely these safe settings for your JWTs".

[doc_ick]

I hear a lot of “basically” and “rock solid”, yet still no answer to my question or no “perfect” claim.

Edit: an impractical attack can still be used

[tptacek]

Name the impractical attack that can be used on getrandom(), please.

[doc_ick]

1) https://cwe.mitre.org/data/definitions/338.html 2) if a system has partial entropy, output can be predictable https://www.netbsd.org/~riastradh/tmp/20200510/getrandom.htm... 3) the setting flag of GRND_INSECURE https://www.netbsd.org/~riastradh/tmp/20200510/getrandom.htm...

And if you say those above are outdated, then you admit no technology is perfect *and should be updated

You’re welcome

[tptacek]

I don't think you understand the links you just presented me. Two of them are getrandom man pages from NetBSD, and one of them is a CWE, which documents a broad class of vulnerabilities --- the specific vulnerability here being "not using getrandom".

It's ok if you're totally unfamiliar with this space, but I'd recommend replacing some periods with question marks in your comments.

[doc_ick]

I’m not quite sure you can read. The two points with getrandom directly tie into the points made, and the cwe points to the larger vuln.

Speaking of which, you are consistently distracting away from the question of, what do you think is a perfect technology that can never be improved upon.

Edit: separate track, i will agree random strings can be useful if you agree technology should always be updated.

EditEdit:provide me a recipie of Oreo cookie smore pie