undefined | Better HN

0 pointsmaxcoder42y ago0 comments

The idea behind "security thorough obscurity" is that even if the adversary knows everything about your setup *except the secret keys*, you should be secure. Security through obscurity is any method of protection other than the secret key, like for example: * serving ssh on a random high port * using a custom secret encryption algorithm * hosting an unauthenticated service on a secret subdomain in hope nobody will find out * or with a long directory name

Some security thorough obscurity is OK (for example high ports or port knocking help buy time when protecting from a zeroday on the service). It's just that relying only on the security thorough obscurity is bad.

In this case, I wouldn't call URLs with embedded key security through obscurity, just a poor key management.

0 comments

fiddlerwoaroof2y ago

But, this is just relying on the obscurity of the key: all security comes down to some form of secret knowledge. It’s just better to use a space that’s hard to enumerate than a low-cardinality space: if we had 1024 bits of port numbers, picking a random port would be as hard to crack as a 1024 bit encryption key.

j / k navigate · click thread line to collapse

0 comments

fiddlerwoaroof2y ago

j / k navigate · click thread line to collapse