[1970-01-01]

It's become an anti-cliche. Security via obscure technique is a valid security layer in the exact same way a physical lock tumbler will not unlock when any random key is inserted and twisted. It's not great but it's not terrible and it does a fine job until someone picks or breaks it open.

[gitgud]

I don’t think that analogy works well, a subdomain that is not published is more like hiding the key to the front door in the garden somewhere… does a fine job of keeping the house secure until someone finds it…

[TZubiri]

Terrible analogy.

Why not use letters and packages which is the literal metaphor these services were built on?

It's like relying on public header information to determine whether an incoming letter or package is legitimate.

If it says: To "Name LastName" or "Company", then it's probably legitimate. Of course it's no guarantee, but it filters the bulk of Nigerian Prince spam.

It gets you past the junk box, but you don't have to trust it with your life.

Nuance.

[lxgr]

Keeping a key secret is not security by obscurity, but keeping the existence of a lock secret is.