I find it a little concerning that RANDOM.ORG doesn't make it clear that it a trusted service, and cannot be relied on for secure entropy. The only mention is this, buried in the FAQ:
>anyone genuinely concerned with security should not trust anyone else (including RANDOM.ORG) to generate their cryptographic keys.
But the problems go beyond cryptographic keys. If you use RANDOM.ORG to pick lottery winners, you're trusting that the numbers you get are as truly random as they claim. In particular, the operators of RANDOM.ORG could trivially inject deterministic entropy (generated from, e.g., AES-encrypting successive integers) and this would be completely undetectable, even to statistical tests.
IMO the site needs a big, scary disclaimer on the front page that describes what applications it is appropriate for, and which ones should use a more secure source of entropy.
No. The idea is that you use their service as opposed to running something on your own machine, which eliminates you as a nefarious source of hanky-panky. Think about running their list randomizer to pick one or more names from, say, a list of raffle entrants. The "trust" isn't that the result is going to be cryptographically random or anything like that, it's just an external service you can't monkey with, which avoids accusations of cheating.
>anyone genuinely concerned with security should not trust anyone else (including RANDOM.ORG) to generate their cryptographic keys.
But the problems go beyond cryptographic keys. If you use RANDOM.ORG to pick lottery winners, you're trusting that the numbers you get are as truly random as they claim. In particular, the operators of RANDOM.ORG could trivially inject deterministic entropy (generated from, e.g., AES-encrypting successive integers) and this would be completely undetectable, even to statistical tests.
IMO the site needs a big, scary disclaimer on the front page that describes what applications it is appropriate for, and which ones should use a more secure source of entropy.