Hacker News new | ask | show | jobs
by tacker2000 1053 days ago
How is being “leaky” in any way bad or even good?

Every programming language has holes, its just that with PHP the attack surface is much larger, so i guess people find more holes, etc..

Are you advocating “security by obscurity”?
4 comments
ducharmdev 1053 days ago
> How is being “leaky” in any way bad or even good?

Information-gathering is a common early step in any attack against a system; knowing the language & libraries involved (especially their versions) allows you to search for any existing CVEs that apply.

> Are you advocating “security by obscurity”?

I don't think OP was implying that security by obscurity alone is sufficient, just that it's unwise to advertise information that's not relevant to end users, that could help would-be attackers.

link
justinclift 1053 days ago
While it kind of is security by obscurity, it's a very basic piece of server hardening to stop telling potential attackers what software you're using (within reason).

Back in the day (!), server software used to honestly respond with things like the software name and exact version number it was running.

Naturally, that meant scanning for vulnerabilities was a lot easier than it needed to be.

link
TylerE 1053 days ago
All security is by obscurity. Some is useful.
link
cies 1053 days ago
Not true. There are some real cryptographic realities that are based in "open" math principles.

There's also the way of most using runtimes/libraries that (constantly) have CVEs in them; and understanding why it is that these languages have CVEs in the first place (see my comment on "eval()").

link
justinclift 1053 days ago
Also, the overly muscled guys out the front of night clubs aren't there for "obscurity" type security. ;)
link
TylerE 1053 days ago
A cryptographic key is an obscured secret.
link
cies 1053 days ago
If you languages has "eval()" or something similar, it is a lot easier to attack. Same for when it allow you "upload a file in some place where it gets executed".

These things are not so easy, say, with a C++/Rust/Go app. Or even in most JVM configurations. JS has similar issues, that Deno is trying to mitigate to some extend.

link
notatoad 1053 days ago
obviously being properly secure is better. but if you leave your unlocked, it's better to not also hang a sign above it saying "this door is unlocked".

obscurity is absolutely part of good security practice, as long as it's not all you're relying on.

link