[FFmpeg-devel] [External] Re: Question Regarding Removal of Blowfish from libavutil in FFmpeg
Michael Niedermayer
michael at niedermayer.cc
Thu Oct 3 20:40:03 EEST 2024
Hi
On Wed, Oct 02, 2024 at 09:06:46AM +0000, Kumar, Rahul via ffmpeg-devel wrote:
> Thank you for the prompt response.
>
> The primary reason for removing Blowfish from our codebase is to comply with modern security guidelines and industry standards that discourage the use of outdated cryptographic algorithms, like Blowfish, due to their vulnerabilities.
How do you achieve this by removing av_blowfish* ?
I mean if you have a list of encryption standards and remove the least secure
from the list that makes the choice one has to make more secure (probably)
For example if SSL used Blowfish and you removed it that would make it more secure.
But if you simply remove av_blowfish*, where is the code that would now
use a more secure algorithm ?
if you look at rtmpcrypt it supports Blowfish and XTEA
so if you removed Blowfish (and fixed the code so it still compiles)
you would now use XTEA. I dont think thats an improvment in security
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I am the wisest man alive, for I know one thing, and that is that I know
nothing. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241003/1038ae8e/attachment.sig>
More information about the ffmpeg-devel
mailing list