[FFmpeg-devel] Fix NTP time in RTCP SR packets
Fri Feb 15 12:02:21 CET 2008
On Fri, Feb 15, 2008 at 11:30:36AM +0100, Luca Abeni wrote:
> Reimar D?ffinger wrote:
> > Uh, as I understand it, this sends out the local time with usec
> > precision. The server sure as hell does not know that, and it could e.g.
> > be used to guess values if someone uses a stupid random number
> > generator, system/network load and other things.
> > IOW this is one of the things everyone planning a side-channel attack
> > just dreams of.
> I do not fully understand the problem here, but I believe you
> because I am no expert in security.
> I am just surprised, because you are basically saying that all
> the RTSP server in the world have security problems (I checked
> a lot of implementations, and they all properly fill the NTP
These things are not in general exploitable, esp. not in away that can
be generalized to take over lots of servers.
But it does allow to get additional information about a PC, which will
always weaken security.
side-channel attacks are always a fickly thing and it is rather unlikely
that someone will actually be affected by one, but I still do not like
things that make it easier - mostly since I can't avoid the feeling that
this is there because someone was too lazy to think of a good solution
instead of a quick hack.
Also, the examples that I have for using this only make it easier to
exploit an already given weakness (bad random number generator,
detecting a wrong local time that would allow to use expired
So to summarize: I do not want to claim that this is a security problem
itself, but I feel like it might weaken the security and confidentiality
of the system as a whole and ease exploiting existing problems, thus I
do not feel good with it being enabled by default.
More information about the ffmpeg-devel