[johnnymonster]

Security by obscurity is not security at all. Thinking you were safe because “people didn’t know about it” is not safety at all! Bad people are going to be bad. They don’t need AirTags for that. Knowing it can happen is far better for everyone to know about than living in a false sense of security.

[rsj_hn]

As someone who has been in this field professionally for almost 20 years, my thoughts on this have changed quite a bit. The idea of condemning security through obscurity traces back to cryptography, not security in general. In cryptography, you want the security of your protocol to not depend on the protocol being secret, but the cryptographic keys themselves being secret. There are a lot of good reasons for this, the main one being that the whole point of cryptography is to create protocols that can survive public scrutiny and thus are more easy to implement and more robust.

So for example, without cryptography you'd need to secretly pass a message by courier who might take a secret route, constantly changing his route and delivery time. With cryptography, you can encrypt and sign the message, and then broadcast it over an insecure channel. The second option is much easier than the first. So the whole enterprise of cryptography is based on the principle of abandoning the confidentiality of the protocols themselves.

But there are many situations that require security which are outside of cryptography, because the security of the overall system cannot be reduced to high entropy secrets, and in that case, there is some security benefit that is obtained from obscurity.

For example, we are concerned about username enumeration because we understand users choose weak passwords that might be found in databases, so we do not publish usernames and consider it a vulnerability when usernames are leaked.

As another example, we consider information disclosure consisting of stacktraces leaked to the user to be a vulnerability.

Similarly, there are data centers that cannot just get up and move, and so locations and protocols of these installations are also kept secret.

So while it's true that things which are hard to change should not rely on secrecy in order to maintain their security level, and we should constantly be improving and hardening our protocols so that they can resist public scrutiny, nevertheless it's not the case that all protocols have been or are able to be improved so that their security properties are reducible to high entropy bit strings - in fact most systems don't fall into this category and most will never fall into this category - and for these systems, part of the security will continue to rely on obscurity, even though we are painfully aware of the drawbacks of this approach.

[ted_dunning]

Even in cryptography, there can be value in obscurity.

For instance, suppose you have a system that uses the latest well-known encryption algorithm. You keep the keys secure. Of course.

Now suppose you have an alternative version of the system which super-enciphers all traffic with a fixed and physically protected key. Clearly, if that key is known then the system is no harder to attack than a system without the super-encryption. If the key to the super-encryption is not known, this adds considerable security against, say, successful key interception. Essentially, you are adding diversity of mechanism so that attackers have to multiply and diversify their attacks.

So security-by-obscurity can be a useful adjunct. It just can't be the whole story. Also, it isn't something you should talk about which means that the conversation about such techniques tends to be dominated by people who don't have practical experience with expert and well-financed adversaries.

The intelligence community is very well aware of these factors. That's why they try to protect the integrity of their hardware so much. That also why they don't talk much about the pragmatic aspects of their encryption machines.

[ineedasername]

Obscurity is not a good primary line of defense. But there's no reason why-- all else being equal-- it can't be part of a more robust setup. The more obstacles the better: like simply not using standard port #s for services so that it takes more than a quick scan of common ports to find something. Simple, and sure easy to defeat, but it takes you off the list for the lowest having fruit of targets.

[chrismcb]

Security by obscurity is actually pretty good security. Obviously but fool proof, but pretty good. Of course it depends on how good your obscurity is. Plain text passwords are not very obscure. And thus is mainly where the phrase comes from.