Security through obscurity is not bad

Posted by mobeigi 6 days ago

Security through obscurity is not bad(mobeigi.com)

205 points | 214 commentspage 4

corvad 6 days ago|

Security through obscurity is bad. Security AND obscurity is fine. There's a very clear distinction here.

WesolyKubeczek 6 days ago||

Security through obscurity is only bad when it’s the only measure used. If proper security is also in place, it is the cherry on top.

For example, while I know that ssh bruteforcing bots won’t enter my server no matter how much they try, putting ssh on a non-standard port reduces the number of tries to zero.

blamestross 5 days ago||

I feel like nobody actually understands the real reason security through obscurity is so bad. It results in dead cryptographers. The implementor becomes the weakest link in the chain, and entities with a tolerance for violence can fix that problem.

costco 6 days ago||

reCAPTCHA is a great success story of security through obscurity because probably less than 100 people have reverse engineered it and much less than that have produced a working solver for it that doesn't require a headless browser. Snapchat would be another good example - almost no one is going to put in the work to understand this [0]. Most companies just half ass it though and accordingly achieve nothing with the obscurity at all besides worse performance.

[0] https://web.archive.org/web/20201128060507/https://hot3eed.g...

EGreg 6 days ago||

Kerchkoff would beg to disagree. Please do not refuse a beggar: https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

nobrains 6 days ago||

My take: Do proper security, but if you are short on time or resources, you can start with security through obscurity, to block a few percentage of attacks, and then when you have time and resources, go ahead and add the proper security measures.

dataflow 6 days ago||

I could see AI massively changing the calculus here. Its ability to hack and reverse-engineer (even obfuscated) artifacts may leave obscurity (read: not sharing code or binaries at all) as the primary security mechanism in the industry.

FrasiertheLion 6 days ago|

Yeah everything is open source if you’re good at reversing. Models are increasingly capable of converting binaries into source, and excellent at implementing systems when there’s a finite and constrained end state to validate against, which is exactly the profile reversing falls into.

golem14 6 days ago||

   I am the Modern Man (Secret, secret, I've got a secret)
   Who hides behind a mask (Secret, secret, I've got a secret)
   So no one else can see (Secret, secret, I've got a secret)
   My true identity

keithnz 6 days ago||

One thing I like about some layer of obscurity is not so much anyone directly attacking you, it's someone generically attacking you because you happened to use a common thing that someone finds a security hole with.

More comments...