diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 324dd11e301942..7255344276d73d 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -76,10 +76,16 @@ void CheckEntropy() {
 bool EntropySource(unsigned char* buffer, size_t length) {
   // Ensure that OpenSSL's PRNG is properly seeded.
   CheckEntropy();
-  // RAND_bytes() can return 0 to indicate that the entropy data is not truly
-  // random. That's okay, it's still better than V8's stock source of entropy,
-  // which is /dev/urandom on UNIX platforms and the current time on Windows.
-  return RAND_bytes(buffer, length) != -1;
+  // If RAND_bytes() returns 0 or -1, the data might not be random at all. In
+  // that case, return false, which causes V8 to use its own entropy source. The
+  // quality of V8's entropy source depends on multiple factors and we should
+  // not assume that it is cryptographically secure (even though it often is).
+  // However, even if RAND_bytes() fails and V8 resorts to its potentially weak
+  // entropy source, it really does not matter much: V8 only uses the entropy
+  // source to seed its own PRNG, which itself is not cryptographically secure.
+  // In other words, even a cryptographically secure entropy source would not
+  // guarantee cryptographically secure random numbers in V8.
+  return RAND_bytes(buffer, length) == 1;
 }
 
 int PasswordCallback(char* buf, int size, int rwflag, void* u) {
diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h
index 4afae1884fe40e..f1fbd6c2471cbe 100644
--- a/src/crypto/crypto_util.h
+++ b/src/crypto/crypto_util.h
@@ -134,7 +134,7 @@ struct MarkPopErrorOnReturn {
 void CheckEntropy();
 
 // Generate length bytes of random data. If this returns false, the data
-// may not be truly random but it's still generally good enough.
+// might not be random at all and should not be used.
 bool EntropySource(unsigned char* buffer, size_t length);
 
 int PasswordCallback(char* buf, int size, int rwflag, void* u);
diff --git a/src/node.cc b/src/node.cc
index c2bbfb737478aa..9f6a4a6a6abea1 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -980,8 +980,10 @@ std::unique_ptr<InitializationResult> InitializeOncePerProcess(
       return result;
     }
 
-    // V8 on Windows doesn't have a good source of entropy. Seed it from
-    // OpenSSL's pool.
+    // Seed V8's PRNG from OpenSSL's pool. This is recommended by V8 and a
+    // potentially better source of randomness than what V8 uses by default, but
+    // it does not guarantee that pseudo-random values produced by V8 will be
+    // cryptograhically secure.
     V8::SetEntropySource(crypto::EntropySource);
 #endif  // HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
   }