0

I have heard that "Security by Obscurity" is bad. And I have always agreed with it.

But today I had a coworker disagree when in consideration of links. He was arguing that a link with obscure values in it is as good as a password and is more convenient than needing a custom login. (More than just a Guid, he was arguing generated key values intended to be non-predictable.)

In an attempt to prove him wrong, I did the math. A standard English QWERTY keyboard has:

  • 52 chars
  • 28 special chars
  • 10 numbers

That is a total of 90 possible values for each char in a link. If a link has between 8-15 chars that are the "Obscure" part, that means there are are (90^15)-(90^8) possible obscure values. That is a total of 205,891,132,094,644,695,327,900,000,000 possible values.

If I setup an server farm attempting to sniff out these links, I would need to make 6,528,764,970,022,979,938 requests a millisecond to try them all in a year. (Which would trigger DDOS prevention protocols.) Assuming that I would use up a max of 1 million of the possible values, that means that the odds of guessing a correct value is 0.0000000000000000000048%.

As I look at this, it seems similar in nature to the security levels of using a password.

So, assuming the link itself is given out in a manner as secure as a password is given out, it seems that an "Obscure Link" IS secure.

Have I misunderstood "Security by Obscurity" when I included obscure links in that grouping? (I am starting to think this, because it is not the way the link is constructed that is the security, is the the "password" embedded into the link that provides the security.

My question here is to ask "am I missing something?" Is there a reason that "Obscure Links" should not be used as security?

Vaccano
  • 101
  • 4
  • 5
    Does this answer your question? [Is including a secret GUID in an URL Security Through Obscurity?](https://security.stackexchange.com/questions/36870/is-including-a-secret-guid-in-an-url-security-through-obscurity) – Xander Dec 02 '21 at 16:45
  • @Xander- While similar, that question has the assumption that a browser is not used. And that seems to be a big assumption to the answerers. But they only allude to why. I am asking about using this in a normal browser (Edge, Chrome, Firefox etc) – Vaccano Dec 02 '21 at 17:34
  • 1
    Several of the answers do presume a browser. Another duplicate here: [Is a website published in an obscure directory comparably secure to being placed behind a login?](https://security.stackexchange.com/questions/89108/is-a-website-published-in-an-obscure-directory-comparably-secure-to-being-placed) – Xander Dec 02 '21 at 19:09
  • never take a catch-phrase too far... in many ways obscurity IS security, which you've just proved. That link is more secure than most passwords... though, someone might see it in a log and think to themselves, "hmm... wonder what that is, let's check it out." Maybe make it one-time use, or also secure it with password. – pcalkins Dec 03 '21 at 00:18

2 Answers2

7

That's not what "obscurity" means.

When people say "Security by Obscurity", they mean that a system derives its sense of security from third parties not knowing how it works.

For example, imagine the following URL:

https://example.com/Items/cf3616c322e66591b98b01b9c3c5b3df/Download?api_key=11db5023a7c54b0b450781ce46c8f123

You see that an "Item" is defined first by a 256-bit long key, and then the entire client is further identified by a 256-bit long key. These keys are randomly generated and it's considered impossible for an attacker to just randomly guess them.

Now instead, compare that to the following URL:

https://example.com/Items/13/Download

Instead of being 256-bit long values, the "Item" is identified by an incrementing integer. The idea that this is somehow "safe, because nobody knows the URL to it" is security by obscurity.

So, when is it and when is it not obscurity?

You achieved "Security by Design" if you could give an attacker your entire source code or any other supplementary information, except key material. Key material being passwords, private keys, secret keys, etc...

If you think "We can't make this public or it will make our system vulnerable" for any other aspect other than key material, you have security by obscurity. This includes "proprietary algorithms", URL schemes, etc...

2

My question here is to ask "am I missing something?" Is there a reason that "Obscure Links" should not be used as security?

One very important reason is that URLs are routinely logged by all sorts of devices (load balancers, proxies, end-user devices, WAFs, network firewalls, device firewalls, cloud application platforms, etc etc), so shouldn't be used for secrets unless it's a one-time code.

Even then you'd want to mitigate the risk of capture, perhaps by making it time limited or offering a reduced service (eg. https://web.monzo.com - which uses a one-time link to authenticate - only allows read-only access to transaction history).

Gethin LW
  • 71
  • 3