[FFmpeg-devel] [PATCH] doc/infra: List at what companies the name servers are hosted and who provides the servers
Vittorio Giovara
vittorio.giovara at gmail.com
Wed Nov 27 22:56:05 EET 2024
On Wed, Nov 27, 2024 at 11:56 AM Michael Niedermayer <michael at niedermayer.cc>
wrote:
> Hi Kieran
>
> On Wed, Nov 27, 2024 at 12:01:03AM +0000, Kieran Kunhya via ffmpeg-devel
> wrote:
> > On Tue, 26 Nov 2024, 23:32 Michael Niedermayer, <michael at niedermayer.cc>
> > wrote:
> >
> > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > ---
> > > doc/infra.txt | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/doc/infra.txt b/doc/infra.txt
> > > index 08dcf04c307..71ad7a7db02 100644
> > > --- a/doc/infra.txt
> > > +++ b/doc/infra.txt
> > > @@ -9,9 +9,9 @@ ffmpeg trademark registered in france by ffmpeg
> creator.
> > > Domain + NS:
> > > ~~~~~~~~~~~~
> > > ffmpeg.org domain name
> > > -ns1.avcodec.org Primary Name server (bulgaria)
> > > -ns2.avcodec.org Replica Name server (hungary)
> > > -ns3.avcodec.org Replica Name server (italy)
> > > +ns1.avcodec.org Primary Name server (provided by Telepoint, hosted at
> > > Telepoint in bulgaria)
> > > +ns2.avcodec.org Replica Name server (provided by an ffmpeg developer,
> > > hosted at Hetzer in germany)
> > > +ns3.avcodec.org Replica Name server (provided by an ffmpeg developer,
> > > hosted at Prometeus Cdlan in italy)
> >
> >
> > Hi Michael,
> >
> > Can you add the owner of avcodec.org as this obviously matters too as
> they
> > could change the nameserver IPs if they wished.
>
> avcodec.org is owned by an ffmpeg developer. I belive many people know
> who owns it. root should know it, jb definitly did know it.
>
> Theres no issue with making the name public in principle, its just
> better for security, not to have a public document that an attacker
> can go through and know exactly who owns what.
>
You are basically describing
https://en.wikipedia.org/wiki/Security_through_obscurity which is frowned
upon and a highly criticized practice.
> From a name an attacker can often find a phone number and other things
> Once an attacker has a phone number they can do a sim swap attack.
> This depends on the carrier/phone company. But it did in the past
> require only the phone number and had no defence with some.
>
> Also even when SMS is not used as 2FA, ownership of phone and email
> can sometimes be enough to reset a password & 2FA
>
> This maybe doesnt work for any domain owner/phone company relevant for us.
> But its still a non 0 risk, so i would prefer not to have a public list of
> names for who owns what server.
>
Phone and SIM is not the only way to 2FA - you can install an authenticator
app that offers protection against the scenario you describe.
--
Vittorio
More information about the ffmpeg-devel
mailing list