1

first of all, the question from a naive point of view:

I've got a WebApplication with a URL to a product like Products?id=123. Let's say I've got an administration page reachable from Products?id=123&editable=true.

If I consider that no one will ever try to enable the editable parameter, and thus don't need any further security mechanism to protect this page, that's security by obscurity, and that's not a good idea, right?

-

In my real case problem, it's slightly more subtle: is there any danger in allowing anyone to know my administration URLS? for instance, while working with XSL, I would like to write:

<xsl:if test="/webAlbums/mode/@admin">
    (compute edit link)
</xsl:if>

but wouldn't it be easier for a potential attacker to find a weakness in 'important' pages?

Dimitre Novatchev
  • 240,661
  • 26
  • 293
  • 431
Kevin
  • 4,618
  • 3
  • 38
  • 61

4 Answers4

1

Daniel Miessler gives another element of response in his blog, the one I had in mind when I wrote the question but couldn't formulate:

  • Obscurity as a Layer makes a system with already good defenses more difficult to target, which improves its overall security posture.
  • Security Through Obscurity means that, once targeted, the system will be defenseless, i.e. all its security comes from secrecy.

Hiding configuration URLs from unauthenticated clients adds a layer of security, on top of standard authentication mechanisms.

If crackers don't know where the door is, they will be less likely to try to force it!

That's what he does by changing its SSHd port to 24, port scanner will locate the SSH server, but automatic brute-force scripts will only try the default one.

Results? after a weekend, 18,000 attacks on port 22 and 5 on port 24 (he let both ports open to permit the comparison).

Kevin
  • 4,618
  • 3
  • 38
  • 61
1

Security through obscurity is barely security at all. Don't count on it.

You should make an authentication system that prevents people from using the admin page through actual security.

As for people knowing your admin URLs, it should be fine as long as your admin page is protected and there is no sensitive data being shown in the URL (such as the internal representation of a data type, the internal ID of some data, etc).

Chetan
  • 46,743
  • 31
  • 106
  • 145
  • Remember that a password is also security through obscurity. – Gabe Oct 24 '10 at 15:36
  • @Gabe: Security through obscurity generally means that there are easy access paths to a system, but the designers are counting on the possibility that attackers won't find them. A password would actively protect these access paths so that even if they were found, they would be hard to break through. – Chetan Oct 24 '10 at 19:31
  • How is knowing the password not an "easy access path"? – Gabe Oct 24 '10 at 19:48
  • @Gabe: Because you don't just "stumble" across a password. Instead of counting on attackers to not happen to find an easy access path, you're preventing them from using it without actively trying to break it. It's the difference between hiding the door to your house in an overgrown bush and putting a troll in front of it to guard it. – Chetan Oct 24 '10 at 20:16
  • Assuming you don't have the secret URL on your web site (in a link or something), how would you "stumble across" it? – Gabe Oct 24 '10 at 20:27
  • @Gabe: I'll answer your question with a question. Would you feel secure with the only security to your house being that your front door is hidden behind an overgrown bush? Sure, people aren't likely to accidentally find it, but someone trying to steal from you most definitely will look for it. Similarly, attackers will look for hidden URLs to get more information or additional access points to your site that you haven't specifically protected. – Chetan Oct 24 '10 at 20:43
  • @Gabe: See this similar question for more details: http://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea – Chetan Oct 24 '10 at 20:44
  • Chetan: The fundamental flaw in your analogy is that my house has a finite (and quite small) perimiter, making it trivial to exhaustively search. URL space is infinite, or at least large enough to not be able to search exhaustively. If you keep your URL as secure as your password, there's no reason it won't be as secure. – Gabe Oct 24 '10 at 23:12
  • @Gabe: You're right, the analogy isn't as great as I hoped it would be. But attackers wouldn't do an exhaustive search of the URL search space - there are easier ways of finding hidden URLs, at least easier than breaking a good password scheme. – Chetan Oct 25 '10 at 02:41
  • Chetan: How are you going to *find* a hidden URL? Obviously having a URL of `/admin` is insecure, but so is having `admin` for a password. If his admin URL is `/webAlbums/mode/@admin/jOGT(940jw(4$(*` would you say that it's less secure than having `jOGT(940jw(4$(*` for a password? – Gabe Oct 25 '10 at 03:08
  • @Gabe: Well, I would say `/webAlbums/mode/@admin/jOGT(940jw(4$(*` is a form of password protection, whereas `/webAlbums/mode/@admin` is security through obscurity. It doesn't matter as much what the definition is - the fact is that you don't want to have `admin` for a password; it's a weak form of security and it's something attackers are likely to try first. – Chetan Oct 25 '10 at 06:10
  • Chetan: That's my point exactly. The only difference between a password and a URL is where the user enters it. An easy-to-guess URL is no worse than an easy-to-guess password, and a hard-to-guess URL is just as good as a hard-to-guess password. – Gabe Oct 25 '10 at 06:21
  • @Gabe: I think we're getting hung up on definitions. Security through obscurity has a pretty general definition, so it's easy to compare it to a weak password. The main point is that security through obscurity is as bad as a really weak password, so you can't rely on it alone. – Chetan Oct 25 '10 at 07:03
  • 3
    @Gabe and @Chetan: I think you're both missing the point that passwords are *never* sent across the wire in the clear (at least, they should never be sent in the clear), whereas URLs most certainly are in cleartext. A password is a defined secret with proper storage and disclosure rules (hash and don't, respectively) whereas a URL is public information in the sense that it is not a defined secret. – Cameron Skinner Oct 25 '10 at 11:41
  • Cameron: I think your definition of *never* is vastly different from mine. How do you make a web site's passwords *not* get sent in the clear? – Gabe Oct 25 '10 at 14:27
  • @Gabe: https will encrypt the whole transport layer ensuring passwords are not sent in the clear. Note that it will *not* encrypt the URL. – Cameron Skinner Oct 25 '10 at 22:31
  • Cameron: What makes you think HTTPS can encrypt the whole transport layer but somehow manage to avoid encrytping the URL? – Gabe Oct 25 '10 at 22:51
  • Fair point, https does encrypt the URL too. I stand corrected. Nevertheless, I stand by my definition of "never", assuming the developer isn't stupid enough to not use https when passwords are involved. – Cameron Skinner Oct 25 '10 at 23:05
  • Chetab, @Gabe, Cameron: thanks for this discussion, that's exactly what I wanted to understand when I asked the question (yeah, one year ago, but anyway :) – Kevin Sep 05 '11 at 08:01
0

You are actually in luck, as what you are proposing is actually not security by obscurity, but actually a perfectly sound security technique called Obscure URL.

To make it work, you need to make sure a part of the URL is as hard to guess as a strong password. It doesn't really matter where you include it, as long as the page cannot be edited unless that part is correct.

Insecure example:

Products?id=123&editable=true

Secure examples:

Products?id=123&editable=true&edit-token=GgSkJSb6pvNT
Products?id=123&edit=GgSkJSb6pvNT
edit/GgSkJSb6pvNT/Products?id=123
GgSkJSb6pvNT/Products?id=123
cmc
  • 4,294
  • 2
  • 35
  • 34
0

I don't do web programming, so I may be a bit off-base here, but I think there are a few things to consider:

  • Just like any other authentication system, if you access the admin page without HTTPS, the page request (which contains the effective "password") is being sent in the clear.

  • Unless configured to do otherwise, browsers will retain history and cache for the the admin page. This makes the secret URL more available to attackers or even anyone who uses your machine.

  • As with all passwords, if the secret URL is simple enough, there is a reasonable possibility that it could be brute forced. Something like &editable=true doesn't strike me as secure.

But if handled properly, this should be just as secure as a conventional authentication system.

user1354557
  • 2,413
  • 19
  • 29