[emergentcypher]

Put another way: all security is security through obscurity. Whether we're guessing URLs or brute-forcing passwords, logging HTTP traffic or keylogging someone's machine. I hardly see the difference. It's not easy to tell where "obscurity" ends and "security" begins.

[marshray]

It's Kerckhoffs's 2nd principle:

"[The system] should not require secrecy, and it should not be a problem if it falls into enemy hands"

Which gives rise to the idea of "security though obscurity" is bad. A system is said to rely on obscurity if the bad guy learning any facts about it (other than the special secret keys) represents a compromise.

https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

[nommm-nommm]

No, theres a huge difference.

Security through obscurity means that if the details of the algorithm are known then your secrets are no longer secret. It relys on keeping the encyption method itself secret.

Compare with most good encryption methods, if you know which algorithm was used to encrypt my hard drive you cant use that information to decrypt it. The algorithm is published and the enemy knows the system but the system is still secure.

[bmm6o]

You can usefully distinguish between the name/location/identity of the resource and credentials/password used to access it. "Security through obscurity" is a specific criticism that usually means that the system doesn't adhere to Kerckhoffs's principle.

[jedberg]

Obscurity is when the secret part is entirely based on one side of the transaction (I hope they don't find this URL) whereas security involves secrets on both sides that must be discovered (here is a key exchange where we both know a secret thing).

[chrisseaton]

One-time pads as long as the message aren't security through obscurity are they? There's no way to brute force them. No future maths or quantum computer could ever crack them.

[jameshart]

'How the pad was generated' is the obscure part with OTPs.