Security by obscurity is not security at all. Thinking you were safe because “people didn’t know about it” is not safety at all! Bad people are going to be bad. They don’t need AirTags for that. Knowing it can happen is far better for everyone to know about than living in a false sense of security.
rsj_hn|4 years ago
So for example, without cryptography you'd need to secretly pass a message by courier who might take a secret route, constantly changing his route and delivery time. With cryptography, you can encrypt and sign the message, and then broadcast it over an insecure channel. The second option is much easier than the first. So the whole enterprise of cryptography is based on the principle of abandoning the confidentiality of the protocols themselves.
But there are many situations that require security which are outside of cryptography, because the security of the overall system cannot be reduced to high entropy secrets, and in that case, there is some security benefit that is obtained from obscurity.
For example, we are concerned about username enumeration because we understand users choose weak passwords that might be found in databases, so we do not publish usernames and consider it a vulnerability when usernames are leaked.
As another example, we consider information disclosure consisting of stacktraces leaked to the user to be a vulnerability.
Similarly, there are data centers that cannot just get up and move, and so locations and protocols of these installations are also kept secret.
So while it's true that things which are hard to change should not rely on secrecy in order to maintain their security level, and we should constantly be improving and hardening our protocols so that they can resist public scrutiny, nevertheless it's not the case that all protocols have been or are able to be improved so that their security properties are reducible to high entropy bit strings - in fact most systems don't fall into this category and most will never fall into this category - and for these systems, part of the security will continue to rely on obscurity, even though we are painfully aware of the drawbacks of this approach.
ted_dunning|4 years ago
For instance, suppose you have a system that uses the latest well-known encryption algorithm. You keep the keys secure. Of course.
Now suppose you have an alternative version of the system which super-enciphers all traffic with a fixed and physically protected key. Clearly, if that key is known then the system is no harder to attack than a system without the super-encryption. If the key to the super-encryption is not known, this adds considerable security against, say, successful key interception. Essentially, you are adding diversity of mechanism so that attackers have to multiply and diversify their attacks.
So security-by-obscurity can be a useful adjunct. It just can't be the whole story. Also, it isn't something you should talk about which means that the conversation about such techniques tends to be dominated by people who don't have practical experience with expert and well-financed adversaries.
The intelligence community is very well aware of these factors. That's why they try to protect the integrity of their hardware so much. That also why they don't talk much about the pragmatic aspects of their encryption machines.
ineedasername|4 years ago
unknown|4 years ago
[deleted]
chrismcb|4 years ago