Hacker News new | ask | show | jobs
by Dayshine 2330 days ago
> If open sourcing your code presents any risk to sensitive personal information, then that means that you are already grossly mishandling this information

This is also clearly false.

For example, take this scenario:

- You use web framework Omega, but minimise indicators of this (suppress HTTP headers, etc).

- At 2am, a critical security vulnerability is discovered for Omega and a patch is released shortly after.

- Malicious actors scrape GitHub to find sites that use Omega, and try compromise them.

- At 9am, you apply this patch.

If your project is open source, there is a 7 hour window where you are clearly and publicly broadcasting that you are vulnerable.

If your project is not, there is a 7 hour window where you are vulnerable, but this is not easily apparent to attackers.

How would you prevent this risk?
2 comments
anyzen 2330 days ago
It doesn't work that way. Attackers don't check if you are using "Omega", they check if you are vulnerable. There is simply no difference if you are hiding framework indicators here.

Well - unless there is a targeted attack _against you_. In this case the attacker will search for known vulnerabilities in Omega and maybe even try to come up with some new ones. Having source helps the attackers here, but then again, it has helped researchers fix the vulnerabilities too. So it's a mixed blessing.

link
arghwhat 2330 days ago
This doesn't matter at all.

Attackers either flood you with every attack under the sun, or tear your site apart and will know exactly how it works.

Imagining that you can hide the function of your site is again security by obscurity.

The key idea here (I forgot the name of the law, but others' mentioned it in the tread) is that regardless of what you do, the adversary will end with complete understanding of how your system works.

Therefore, any security based entirely on the adversary not learning about implementation details is entirely defective.

Furthermore, an attack exists for days, months or even years before fixed, it takes time to fix and release, and it takes time for you to discover the advisory and deploy.

You were not vulnerable for 7 hours. You were vulnerable for weeks, months or years.

link