[FFmpeg-devel] Fix NTP time in RTCP SR packets

Reimar Döffinger Reimar.Doeffinger
Mon Feb 18 20:56:07 CET 2008


Hello,
On Mon, Feb 18, 2008 at 07:16:41PM +0100, Michael Niedermayer wrote:
> On Mon, Feb 18, 2008 at 12:56:01PM +0100, Reimar D?ffinger wrote:
> > On Mon, Feb 18, 2008 at 09:18:42AM +0100, Luca Abeni wrote:
> > > Summing up, an "av_gettime_more_secure() based" solution is ok in a large
> > > number of cases, but not always...
> > > I believe the AVFMT_FLAG_USE_TIME flag can solve the problem, but I do not
> > > know if it is overkilling. What do you think about it?
> > 
> > Maybe it does not matter much in this server case, but in general I
> > think a flag to distinguish between the "I want to keep as many
> > information/features as possible" and "I want to create a file I'd like
> > to publish (almost) anonymously" modes of operation would be desirable.
> 
> The max anonymity is always default, i just think you are overparanoid with
> the time in the case of streaming. Its not as if this would be stored in a
> file ...

I mostly admitted to that, at least I intended to it. Nevertheless, the
specification does not really require this information, so being able to
suppress it might be helpful for testing as well.

> Also iam curious, can you point at a concrete case where knowing the exact
> time of a system would significantly weaken its security?

How "concrete"?
Probably the answer is "no".
Though I know that some people have been stupidly using srand(time)
for security-critical stuff (knowing exact time would only make it
slightly easier to exploit though).
And as I said you could like this easily detect systems with a
completely wrong system clock (usually not easy to exploit either
though, but at least you then know it is a system nobody looks after
properly).

Greetings,
Reimar D?ffinger




More information about the ffmpeg-devel mailing list