[K0nserv]

A common misconception with "Security by Obscurity" is that it's always a bad thing.

It's only a bad thing if the obscurity is critical to the security of what you are protecting. For example if you make your API completely open, but obscure it inside an app and make the domain hard to discover e.g a random string that's obviously not good.

However if you use obscurity as an extra layer in a system that is secured by other means such that removing the obscurity would not have an adverse effect on the security of the system that's fine. Hence there's no reason not to obscure things to make it more difficult for an attacker as long as that's not all your security.

[twhb]

I’d counter that the security benefit may be so small as to underweigh the hassle and bug potential of those obscurities.

... and counter myself by reminding that all computer security is obscurity, just varying levels.

I think, in the end, we do need to measure things :)

[K0nserv]

You might very well be correct that it's not worth it, but it doesn't counter my point.

[em3rgent0rdr]

But sounds like the entire telegram network could be taken down if the locations of the servers were comprimised. Then the message app wouldn't function anymore, so it wouldn't provide any security.

[K0nserv]

I guess the issue when your potential adversaries are nation states is that if they know where the servers are and that area is within their jurisdiction they can have your servers shutdown/seized. This obviously kills at least parts of the network, however I don't think it's implied that the network can be compromised as a consequence of this, that would truly be security by obscurity.

Outside of a mesh network or some peer to peer solution this doesn't seem like a problem that's solvable.