[pdpi]

> All modes of cyber security depend on some obscurity (e.g. password)

That's not what the expression means.

"Security through obscurity" has a very specific meaning — that your system's security depends on your adversary not understanding how it works. E.g. understanding RSA is a few wikipedia articles away, and that doesn't compromise its security, so RSA isn't security through obscurity.

[lucketone]

I’m aware of that specific meaning. (Hiding under uncommon port, also falls under same umbrella)

But I think it is interesting and useful to detach from that specific label with all connotations, and treat it for a moment as just regular english phrase.

So we can analyse the wider pattern, see why it is deemed flawed, whether it is a binary choice or a spectrum.

(Notable thing to frame the analysis: hacker does not attack RSA, hacker will hack certain implementation of SSH server and use heartblead-v2 to sidestep RSA completely)

[strken]

Lucketone likely knows this and was pointing out that "obscurity" is a misleading word to use when talking about systems which all rely on obscurity, in the plain English sense of the word.

[pdpi]

We're in a technical forum, discussing a term of art that refers to a very specific bad practice.

Lucketone's argument is essentially saying that the bad practice itself isn't actually a bad practice by equivocating the term of art and the plain language definition.

[strken]

The problem is that the term of art is confusing to technical people. See TFA. Technical people make logical leaps from "avoid security through obscurity [in the specific context of security systems which depend on obscurity and for which there are better alternatives than obscurity]" to "you should never obfuscate JavaScript" because the word is imprecise.

[fsckboy]

"security through obscurity" is not a term of art; it is not solely that property which RSA does not rely upon.

[sroussey]

No, "Security through obscurity" is a valid and useful layer. A lot of weight hangs on your word “depends” though, in which case if it is the only layer then you will eventually have, uh, problems.

I’ve used it for a long long time. Like in 1999 I’d have a knock on certain ports in a certain order to unlock the ssh port.

And lots of weird stuff to stop forum spam. Which could work for weeks or months or even a year.

[pdpi]

Port knocking isn't security through obscurity. Given the knowledge that you have a port knocking system in place doesn't tell me what specific sequence of knocks will open up the service I want to target. Even just a two knock sequence gives you a key with 32 bits of entropy, which makes it trivial to block attempts at bruteforcing the key.

[ZoomZoomZoom]

I don't see how your argument makes sense. It's all just bits of entropy in the end, be it knowing a port to connect to or a character in your key.

[pdpi]

Yeah absolutely. That was precisely my point — Requiring a secret (be it a password or the private part of an asymmetric key) isn't security through obscurity, and finding the sequence of knocks is equivalent to finding a password of equivalent complexity.