Hacker News new | past | comments | ask | show | jobs | submit login

Security by obscurity is no security





That's cryptography at scale in a nutshell, thus far it seems to be a fair enough countermeasure. Cryptography on an individual item with an unknown cipher/salt/hash can be treated as security via entropy - but with a big enough data set and some idea of the target content, things quickly devolve into security via obscurity since the target content is discoverable with enough time and computational resources. Security via "untamperability" (quantum bits/state) is better, alas we're not quite there yet.

My biggest worry is that all currently known classical "secure" data sets, including encrypted but recorded internet communication, will become an open book a few decades from now. What insights will the powers that be choose draw from it then, and how will that impact our future society? Food for thought.


This saying rubs me the wrong way, because confidentiality is 1/3 of security. Obscurity is critical or this wouldn't be a vulnerability.

Confidentiality is a valid layer of security, however security solely by obscurity is wrong.

You can have unintentional exploits/vulnerabilities in free/open source software or hardware too.


The critical part is understanding that confidentiality is temporal.

All “secrets” are eventually revealed, security is about managing the risks and timing associated with this revelations


The question is: how much needs to be kept confidential?

"Obscurity" general refers to situations where "everything" is confidential. And when everything is confidential priority one, nothing is, since people can't work like that.

Cryptography attempts to sequester the confidential data into a small number of bytes that can be protected, leaving larger body of data (say, the algorithm) non-confidential.


_Please_ stop parroting this line incorrectly.

Security _ONLY_ through obscurity is not security. Obscurity is a perfectly valid layer to add to a system to help improve your overall security.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: