Hacker News new | ask | show | jobs
by ShaneWilton 3186 days ago
Security through obscurity is a very misunderstood concept. It should never be used at the expense of proper security (i.e. rolling your own crypto), and you should always act under the assumption that targeted attackers can see through your obscurity, but it can be a valuable part of defense in depth: especially against unskilled attackers.

Consider an 0day for example. When the 0day is published, attackers are going to mass-scan the internet for vulnerable applications. Your WAFs, etc won't yet block the attack, and if you have a vulnerable application that must be externally facing, you may get hit by this mass-scan. If your applications are protected with port knocking, however, you'll have that extra window of time to apply patches and protect yourself before you're directly targeted.
1 comments
darkmighty 3186 days ago
Well, but if port knocking was a great effective security tool, everyone would be using it, which defeats the obscurity advantage and would bring it back on par with good old passwords.

It might be a decent extra tool for very delicate situations, but I find it reasonably clear that it's largely self-defeating and not to be relied upon. It can also introduce further bugs.

I can see it could have an appeal as a proper password system though (not an obscurity device), since it's really the first step in interacting with a server. With password protocols, you usually have a more complicated interaction that can open a greater surface area. It seems good practice to authenticate absolutely as soon as possible.

link
ShaneWilton 3186 days ago
The benefit of port knocking is that it essentially gives you a channel to transmit a password over, without revealing the existence of the system that's being authenticated for. A traditional password, on the other hand, requires some sort of socket that leaks the presence of a listening server.

Even if everybody were to use port knocking, knowing that fact doesn't give you any knowledge about whether a given IP hosts zero, one, or some arbitrary number of possibly vulnerable services.

link
fulafel 3185 days ago
One clear downside: you've now created an easy low-bandwidth way for anyone to deny you from opening connections there, since others can easily interfere with your port knocking sequence.
link
pc86 3185 days ago
"If this was good everyone would be doing it" is... shaky logic, at best.
link
CamTin 3185 days ago
I think the intent is an argument that basically says "if everyone were doing it, it wouldn't be good" which is less shaky (though see ShaneWilton's comment as to why this isn't so).
link