diff --git a/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java b/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java
index d4e47222594..45fc16849e2 100644
--- a/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java
+++ b/jetty-websocket/websocket-client/src/main/java/org/eclipse/jetty/websocket/client/masks/RandomMasker.java
@@ -18,6 +18,8 @@
 
 package org.eclipse.jetty.websocket.client.masks;
 
+import java.security.SecureRandom;
+import java.util.Objects;
 import java.util.Random;
 
 import org.eclipse.jetty.websocket.common.WebSocketFrame;
@@ -28,38 +30,20 @@ public class RandomMasker implements Masker
 
     public RandomMasker()
     {
-        this(null);
+        this(new SecureRandom());
     }
 
     public RandomMasker(Random random)
     {
+        Objects.requireNonNull(random);
         this.random = random;
     }
 
     @Override
     public void setMask(WebSocketFrame frame)
     {
-        byte[] mask;
-        if (random != null)
-        {
-            mask = new byte[4];
-            random.nextBytes(mask);
-        }
-        else
-        {
-            // This is a weak random, but sufficient for a mask.
-            // Using a SecureRandom would result in lock contention
-            // Using a Random is as more predictable than this algorithm
-            // Using a onetime random is essentially a system time.
-            int pseudoRandom = (int)(System.identityHashCode(frame.hashCode()) ^ System.nanoTime());
-            mask = new byte[]
-            {
-                (byte)pseudoRandom,
-                (byte)(pseudoRandom >> 8),
-                (byte)(pseudoRandom >> 16),
-                (byte)(pseudoRandom >> 24),
-            };
-        }
+        byte[] mask = new byte[4];
+        random.nextBytes(mask);
         frame.setMask(mask);
     }
 }