[reposted as the initial submission timed out without confirmation] Viewing the previous replies to your script posting, I'd say it's a good thing you don't increase the entropy count based on that script. After all, you're using an unencrypted http: connection. As such, it'd be a (relatively) simple matter for an attacker, indeed, even a remote attacker, to do a MitM attack and substitute whatever he wanted into the "response from random.org", which for all you know is anything but. So yes, in line with the theme of the article, adding the bits shouldn't do any harm, as long as you don't count it as added entropy. However, it certainly can't be counted on to /help/ either, since you've really no idea where the data is coming from or how predictable it might be, so it's a good thing your script does /not/ have the system count it as added entropy. Of course, the first instinct would then be to use an encrypted/ssl connection. However, I believe that'd be defeating the purpose to some extent, since creating the encrypted connection will (I assume, I'm no authority and really haven't a clue, only a guess) consume entropy in the first place. Assuming it's allowed, one could then grab more entropy from random.org than was consumed, but there'd still need to be some entropy available initially or the encrypted connection itself would be suspect. I'm really surprised nobody else noted this in their replies... <shrug> Duncan
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds