Thursday, 8 March 2012

Is Security by Obscurity Bad?

Quick answer, yes, if it is the only security you have! But rather than throwing out the baby with the bathwater, let us consider where obscurity is a good thing.
Firstly, if we think of structure, obscurity is not good for security since structure can be discovered. For instance, if you based something like Chip-and-Pin on a secret encryption method which needed to be secret to work (revealing it would enable people to bypass it), then the minute somebody revealed the secret, the whole system would be useless. Openness can help lead to peer review which can help spot flaws that you might never see so is worth the effort. If you cannot think how to design something that will work, even if in the public domain, perhaps you should consider getting someone else to do it!
On the other hand, obscurity for content can help make your systems more secure. For instance, you must out of necessity keep your DB passwords secret. Despite the structure being known and perhaps even open-source, the password is the secret and will unlock the door, albeit hopefully one door on one system. This idea can also be extended to things like database table names and web application user ids. If your site is called facebook and someone is trying to hack the site, they will very likely assume that the userid for database access is called something like facebook, webapp, facebookdb etc and I'm guessing this logic would get you into many systems. If you called your login something obscure like facebook74656372 then it is unlikely that this will be guessed or brute-forced. The same is true of database tables. SQL injection vulnerabilities are usually only serious if they can be used to obtain information, there is less danger from someone who has got a sql inroad to your system but does not know that your user table is called USR1234123_TH rather than User. Of course, you could add the same number or key to the end of your table names but that would just mean if they saw one of them, they would guess the others.
A little random is annoying but it comes down to breaking our fondness for eloquence and ease and thinking more in line with security.
As an aside, I am going back to old-school in my thinking that it is better to have complex passwords that are written in a book somewhere than to have simpler ones just so they can be memorised. Each one should also be different.
Post a Comment