Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This post is from last year, so I checked the nginx source to see if they had fixed things since then.

Nope! Still using ngx_random to generate packet IDs:

http://hg.nginx.org/nginx/file/tip/src/core/ngx_resolver.c#l...

And ngx_random is still #defined to random:

http://hg.nginx.org/nginx/file/tip/src/core/ngx_config.h#l57



You are correct. They never fixed issues #2, #3, and #6 (as stated under "Vendor response".) Any half decent resolver properly randomizes both ports and txid not using the predictable libc random(), but nginx developers have staunchly refused to do so...


Thanks for posting this publicly!

I suggest updating your post to say that the issues are still unfixed as of today's date.


Done.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: