[FFmpeg-devel] FFmpeg 8.0 Release

Michael Niedermayer michael at niedermayer.cc
Thu Jul 24 02:58:42 EEST 2025 

On Wed, Jul 23, 2025 at 08:40:22PM +0200, Nicolas George wrote:
> Michael Niedermayer (HE12025-07-23):
> > the fix for this is to check crt.sh
> > 
> > example: https://crt.sh/?q=ffmpeg.org
> > 
> > and if there are or where correct certificates, reject the self signed one
> > otherwise allow self signed by default with a warning
> 
> “502 Bad Gateway”

there are others like
https://osint.sh/crt/


> I doubt it can be a fix for anything.

> 
> Anyway, that cannot be a fix:

> - the site could get compromised;

I think modifying these logs in an undetectable way is cryptographically not simple
https://certificate.transparency.dev/howctworks/


> - our users might not trust them;

The "Certificate Transparency" ? there should be no trust involved here.
Its just an append only log of all certificates

If you meant that the user might not trust a self signed certificate,
even if there never was a better certificate, then the user cannot
access the url in question if thats the only certificate the target url
provides


> - the site could be down;

thats detectable and then no self signed certificate would be accepted by default


> - internet access might not be available;

thats detectable and then no self signed certificate would be accepted by default


> - the extra latency might be unacceptable;

agree
but note, this was a somewhat hypothetical suggestion. I think its an interresting
idea. I dont expect anyone is going to just implement it like this.
The shit performance of these public sites is one problem that would need to be
solved first


> - …
> 
> And it is our users' absolute right to access sites with self-signed or
> invalid certificate, starting with sites they operate themselves in test
> environments, without the say-so of any other site.

agree but that should not be default for a https url.
People today expect https to be secure

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250724/6cf5aaa6/attachment.sig>

More information about the ffmpeg-devel mailing list