On Mon, Nov 11, 2024 at 10:02:27AM +0000, Derek Buitenhuis wrote: > On 11/10/2024 2:59 PM, Michael Niedermayer wrote: > > Its there since a long time: > > https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/HEAD:/doc/infra.txt > > [...] > > > If something is missing, its not going to improve on its own. > > Someone will have to say _what_ is missing and work toward filling it in. > > Pretty hard to list infra you don't know exists. > > For example, I only recently noticed ffmpeg.org goes through avcodec.org DNS: > > ns1.avcodec.org - telepoint.bg > ns2.avcodec.org - KIFU (Government Info Tech Development Agency) > ns3.avcodec.org - CDLAN SpA > > Who owns avcodec.org? Who runs these DNS servers? Who has access? Who has > contacts? > > It's a supply chain attack risk - you could hijack ffmpeg.org per IP or Geo.
Publically listing which developer provides which part of the DNS infra makes it easier to attack not harder. That said, i suspect who provides what was mentioned in the past already If an attacker doesnt know who provides a server then the attacker can only attack the server directly via its name and IP. If an attacker knows who owns the server then he can perform a wide range of additional attacks. For example Impersonating that developer towards the server hoster, or if the attacker can figure out the phone number of the developer then sim swaping becomes possible. From that various other accounts can then be taken over and Once an attacker is in control of phone and email of someone further account compromises become increasingly easy. I do not think we would be doing FFmpeg a service or improve security by listing everyones names in a public file. Even if most of this probably was said publically already, having it in one single place makes it even easier for an attacker thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
