On Wed, Jul 23, 2025 at 08:40:22PM +0200, Nicolas George wrote: > Michael Niedermayer (HE12025-07-23): > > the fix for this is to check crt.sh > > > > example: https://crt.sh/?q=ffmpeg.org > > > > and if there are or where correct certificates, reject the self signed one > > otherwise allow self signed by default with a warning > > “502 Bad Gateway”
there are others like https://osint.sh/crt/ > I doubt it can be a fix for anything. > > Anyway, that cannot be a fix: > - the site could get compromised; I think modifying these logs in an undetectable way is cryptographically not simple https://certificate.transparency.dev/howctworks/ > - our users might not trust them; The "Certificate Transparency" ? there should be no trust involved here. Its just an append only log of all certificates If you meant that the user might not trust a self signed certificate, even if there never was a better certificate, then the user cannot access the url in question if thats the only certificate the target url provides > - the site could be down; thats detectable and then no self signed certificate would be accepted by default > - internet access might not be available; thats detectable and then no self signed certificate would be accepted by default > - the extra latency might be unacceptable; agree but note, this was a somewhat hypothetical suggestion. I think its an interresting idea. I dont expect anyone is going to just implement it like this. The shit performance of these public sites is one problem that would need to be solved first > - … > > And it is our users' absolute right to access sites with self-signed or > invalid certificate, starting with sites they operate themselves in test > environments, without the say-so of any other site. agree but that should not be default for a https url. People today expect https to be secure thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Whats the most studid thing your enemy could do ? Blow himself up Whats the most studid thing you could do ? Give up your rights and freedom because your enemy blew himself up.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
