IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [obscurity]

Security through obscurity means relying on the secrecy of the design of a system to keep it secure. Kerchkoff's principle states that the security of a system should not rely only on obscurity.

Security through obscurity means keeping the design of a system secret in the hope to make the system more secure.

Kerchkoff's principle states that the security of a cryptographic system must not rely only on keeping its design secret, but primarily on keeping the key secret.

Further reading

88 questions
109
votes
8 answers

My school wants to keep the details of our door authentication system a secret. Is that a good idea?

So, I am designing a door authentication system (can't really go into more detail) for our school, so that only authenticated persons can go through a certain internal door. They hold that its inner working should be kept a secret, so that no one…
PyRulez
  • 2,937
  • 4
  • 15
  • 29
108
votes
15 answers

At what point does something count as 'security through obscurity'?

So, I keep finding the conventional wisdom that 'security through obscurity is no security at all', but I'm having the (perhaps stupid) problem of being unable to tell exactly when something is 'good security' and when something is just 'obscure'. I…
root
  • 1,547
  • 3
  • 12
  • 20
102
votes
16 answers

Security BY obscurity is horrible. Is security AND obscurity good?

Normally I preach that rolling your own custom crypto algorithm is a bad idea. But will it really hurt if it's the outermost layer though? Or will it make security worse? AES -> CipherText -> CustomEncryptionAlgorithm-> CipherText I'm thinking…
user3280964
  • 1,130
  • 2
  • 7
  • 13
100
votes
10 answers

Does it improve security to use obscure port numbers?

I recently started a job at a small company where the CTO prefers to host SSH services at obscure, high numbered ports on our servers rather than the well known port 22. His rationale is that "it prevents 99% of script kiddy attacks." I'm curious…
William Rosenbloom
  • 1,516
  • 2
  • 6
  • 12
91
votes
8 answers

How would one crack a weak but unknown encryption protocol?

I was reading this interesting question: Is my developer's home-brew password security right or wrong, and why? It shows a weak home-brew algorithm developed by "Dave", and the answers discuss why this is a bad idea. (Actually hashing algorithm…
Ram Rachum
  • 1,998
  • 2
  • 17
  • 20
90
votes
15 answers

How to store passwords written on a physical notebook?

Answers to the question "How safe are password managers like LastPass?" suggest that storing personal passwords on a physical notebook might be a reasonable option: I know someone who won't use Password Safe and instead has a physical notebook…
tmh
  • 1,139
  • 1
  • 9
  • 10
56
votes
5 answers

Is open-sourcing the code of a webapp not recommended?

How to find out what programming language a website is built in? How much of a Django application could be reverse-engineered if the owner forgot to turn debug mode off? And other Qs like these ^ . Shortly: It would seem that at least in terms of…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
51
votes
6 answers

How valuable is secrecy of an algorithm?

On the surface, the inadvisability of security through obscurity is directly at odds with the concept of shared secrets (i.e. "passwords"). Which is to say: if secrecy around passwords is valuable, then by extension surely it must be of some value…
tylerl
  • 82,225
  • 25
  • 148
  • 226
50
votes
7 answers

Doesn't the choice of encryption algorithm add entropy by itself?

Let's say someone has my encrypted data and he wants to decrypt it. People always talk about how the length of the key (e.g. 256 bits) decides about the entropy of the encryption, which totally makes sense. If the attacker tries all 2256…
Robert
  • 617
  • 1
  • 5
  • 3
49
votes
6 answers

Is a website published in an obscure directory comparably secure to being placed behind a login?

Let's say I create a microsite for a client that contains confidential business information. We need to place this in a location the client can access, in order for them to approve for launch. If we place this microsite behind a login, we have a…
CodeMoose
  • 601
  • 5
  • 10
47
votes
4 answers

Is publishing your public IP address a security threat?

I work for a large-ish company (thousands of employees across multiple locations). I recently needed to know what the possible public IP addresses are, so that a vendor could identify us (presumably for their firewall). The network guy I spoke with…
Abacus
  • 573
  • 1
  • 4
  • 6
44
votes
11 answers

Isn't all security "through obscurity"?

I know that one shouldn't rely on "obscurity" for their security. For example, choosing a non-standard port is not really security, but it also doesn't usually hurt to do so (and may help mitigate some of the most trivial attacks). Hashing and…
Matt
  • 3,192
  • 2
  • 21
  • 26
44
votes
3 answers

The valid role of obscurity

That security through obscurity is A Bad Thing is received wisdom and dogma in information security. Telling people why something is to be avoided can be considerably more difficult when there is no line delineating what you are trying to ban from…
Bell
  • 975
  • 9
  • 12
43
votes
7 answers

Is suggesting a correct url in a 404 page bad practice?

I'm currently writing a web application, and my client asked me if it would be possible to suggest a valid URL to the user when they accidentally write a typo in the URL bar, an example of this would go like this: Bob navigates to…
Paradoxis
  • 892
  • 7
  • 15
39
votes
7 answers

Is it a security vulnerability to tell a user what input characters are valid/invalid?

For input validation on a website, are there any security concerns with disclosing to the user exactly what characters are valid or invalid for a given field? CWE-200: Information Exposure says one should try not to disclose information "that could…
csrowell
  • 487
  • 1
  • 4
  • 7
1
2 3 4 5 6