Just as a quick explanatory note, the generation of random numbers through such type of algorithms is normally relied upon when large quantities of random digits are necessary. As an example, consider the need of injecting randomness in online gaming – e.g. lotteries, betting, casinos, poker and the like. Professor Vigna explains that generating number in a truly random way has always been hard and expensive. Therefore, specific algorithms have been defined in order to simulate the randomness that only physical processes could guarantee – e.g. consider the act of rolling the dice. Now, since that would be quite costly to reproduce – expensive hardware devices that, through various physical methods, are able to provide the generator with the necessary level of entropy – many algorithms have been suitably developed in the attempt to reach at least a decent level of randomness. Of course, the existence of an algorithm, no matter how complex or sophisticated, will always entail that the next digit can be somehow predicted, at least theoretically. This has given rise to the term “pseudo-random”, since not “truly random” according to a more rigorous definition.
Now, clearly, with e-commerce being called into question so explicitly, it was pretty natural to expect that at least a bunch of question marks would automatically be raised. Someone has in fact even brought up PCI DSS compliance, like the impact of such an issue could be of relevance in the considered case. Well, let’s be very straight on this: this is not AT ALL a new SSL/TLS case or stuff. But before reaching the bottom line let me just very quickly illustrate the various approaches to random number generation.
Nowadays, random generators are generally speaking split into several categories, which include but are not limited to the aforementioned PRNG. Now, PRNG is the least sophisticated option and indeed, just because of that, it is normally not relied upon when dealing with sensitive or critical data. They are, in short, a cheaper way to get quick-and-dirty randomness for not so crucial purposes. For more critical purposes, we have more reliable options, such as CSPRNG (cryptographically secure pseudo-random number generator), a category of PRNG with features that make it way more suited for use in cryptography. Such mechanisms are slower, but you can quite safely generate a public/private key pair through them. Then, for very critical purposes, you also have TRNG (true random number generator), which as said above rely on physical devices in order to guarantee the maximum level of randomness.
My most sincere congratulations go to professor Vigna and his team; they should surely pride themselves for a very good achievement. But, saying that security of online purchases was at risk and that xorshift128+ has rescued e-commerce is pretty exaggerated. Typical cheap sensationalism from blunt Media.