Why is security through obscurity a bad idea?

Question

I recently came across a system where all of the DB connections were managed by routines obscured in various ways, including base 64 encoding, md5sums and various other techniques.

/etc/shadow is providing adding security with obscurity. Before /etc/shadow the hashes were in /etc/passwd which any user could read, making them vulnerable to rainbow table attacks. Putting them in /etc/shadow which can only be read by root obscures the hashes from unprivileged users. — Alice Wonder, Dec 10 '14 at 07:58
Enforcing access control is usually nut considered "obscurity" (neither is password hashing if it is done correct). — eckes, Feb 18 '15 at 05:32
Really guys? You honestly are going to sit here and tell me and the world that obscurity is a bad idea? It's not a bad idea and it SHOULD NOT BE your total plan for protection against unauthorized access. A great security plan should call for obscurity, strong password, encryption, and closing back doors as they are discovered. — Jeff, Feb 22 '12 at 18:35

score 122 · Accepted Answer · edited Mar 29 '16 at 11:44

122

Security through obscurity would be burying your money under a tree. The only thing that makes it safe is no one knows it's there. Real security is putting it behind a lock or combination, say in a safe. You can put the safe on the street corner because what makes it secure is that no one can get inside it but you.

As mentioned by @ThomasPadron-McCarty below in a comment below:

If someone discovers the password, you can just change the password, which is easy. If someone finds the location, you need to dig up the money and move it somewhere else, which is much more work. And if you use security by obscurity in a program, you would have to rewrite the program.

edited Mar 29 '16 at 11:44

Michał Perłakowski

88,409
26
156
177

answered Feb 10 '09 at 20:17

Rex M

142,167
33
283
313

20

The next question would be: What is the difference between keeping the location secret and keeping the password secret? – Albert Feb 10 '09 at 22:29
5

@Albert the difference is the order(s) of magnitude between the likelihood of finding the location/obscurity without knowledge (high) and finding the password without knowledge (low). – Rex M Feb 10 '09 at 22:37
28

Another answer: If someone discovers the password, you can change the password, which is easy. If someone finds the location, you need to dig up the money and move it somewhere else, which is much more work. And if you use security by obscurity in a program, you would have to re-write the program... – Thomas Padron-McCarthy Feb 11 '09 at 15:27
3

Nice answer. What tree do you bury your money under? – Chris Ballance Feb 11 '09 at 15:35
1

Does anyone have a shovel I can borrow?... – Neil Barnwell Feb 11 '09 at 17:22
36

What if I burry my money under a tree, in a safe? – Mathieu Pagé Feb 13 '09 at 16:15
nice answer! but to picky, if you put a safe on the street, someone could blow it up or something :) – hasen Mar 08 '09 at 07:20
@Hasen j, what would happen to the money inside if you blew it up ? – alex Mar 09 '09 at 04:41
@alex The scene at the end of "The Apple Dumpling Gang" comes to mind... – Doug L. Mar 21 '09 at 08:55
@alex, it would probably burn (if it was paper money), but that maybe the culprit's intent. – hasen Apr 07 '09 at 15:43
1

what is if someone steals that safe from the street? even if he can't break into it, your money is gone anyway ... :D – Chris Oct 09 '09 at 21:33
Bad answer. These are both "real" security. The question is what resource are you requiring. – Good Person Nov 02 '09 at 09:25
1

Bury an empty safe nearby as a decoy. You could choose to dig up the money and bury it under another tree while they are digging up the safe or you could sit tight and wait. – Rimian Mar 03 '10 at 05:57
@Neil Barnwell : I won't borrow you my shovel but I can rent it to you :P – Andrei Rînea Nov 26 '10 at 14:02
That is how **Linux** works. I'd say Microsoft counts on the fact Windows is too big. – imacake Feb 22 '12 at 18:39
1

And what if you went back to the safe on the street the other day, and input your security combination, only to find out that the actual safe was gone and this was a decoy look alike just to grab the combination from you and send it to the decoy owner?? Phishing anyone????? :D – Mohd Abdul Mujib Jan 17 '13 at 17:18
Both obscurity and encryption should be used, wisen up. – Eujinks Nov 06 '14 at 13:16
@ThomasPadron-McCarty this should be included in the answer. Adding it into the answer. – aug Mar 17 '15 at 18:11
@hasen perhaps a bank with security guards would be a better example. – FluorescentGreen5 Aug 20 '17 at 07:50
While "Security by Obscurity" might not be the best idea for routines and backend systems especially using weak and reversible encryptions like base64 and the likes. It is a good idea for not revealing your codes easily in web development where source codes can be made available by mapping. My next question if you disagree will be why do we have private repositories? Why do we bury our codes??? – Akinjiola Toni Sep 03 '19 at 09:42
This answer overlooks the fact that "if done right" (just like encryption), the number of possibilities for "obscurity" is so immense that it is virtually impossible to discover the secret. The best option is a combination of good obscurity PLUS good encryption. – Seven Systems Jan 16 '23 at 19:24
Funniest thing in the world to me is I spent about 90 seconds on a crappy, throwaway analogy and 14 years later people are still showing up with "well ACKTCHUALLY" – Rex M Mar 13 '23 at 02:04

score 41 · Answer 2 · edited Feb 10 '09 at 20:30

Security through obscurity can be said to be bad because it often implies that the obscurity is being used as the principal means of security. Obscurity is fine until it is discovered, but once someone has worked out your particular obscurity, then your system is vulnerable again. Given the persistence of attackers, this equates to no security at all.

Obscurity should never be used as an alternative to proper security techniques.

Obscurity as a means of hiding your source code to prevent copying is another subject. I'm rather split on that topic; I can understand why you might wish to do that, personally I've never been in a situation where it would be wanted.

+1: the code for encryption and proper key management can be completely exposed. Read all the code you want, you'll never get the key. If you pay your folks enough even social engineering won't reveal the keys. — S.Lott, Feb 10 '09 at 20:26

score 17 · Answer 3 · answered Feb 10 '09 at 21:34

Security through obscurity is an interesting topic. It is (rightly) maligned as a substitute for effective security. A typical principle in cryptography is that a message is unknown but the contents are not. Algorithms for encyrption are typically widely published, analyzed by mathematicians and, after a time, some confidence is built up in their effectivness but there is never a guarantee that they're effective.

Some people hide their cryptographic algorithms but this is considered a dangerous practice because then such algorithms haven't gone through the same scrutiny. Only organisations like the NSA, which has a significant budget and staff of mathematicians, can get away with this kind of approach.

One of the more interesting developments in recent years has been the risk of steganography, which is the practice is hiding message in images, sound files or some other medium. The biggest problem in steganalysis is identifying whether or not a message is there or not, making this security through obscurity.

Last year I came across a story that Researchers Calculate Capacity of a Steganographic Channel but the really interesting thing about this is:

Studying a stego-channel in this way leads to some counter-intuitive results: for example, in certain circumstances, doubling the number of algorithms looking for hidden data can increase the capacity of the steganographic channel.

In other words, the more algorithms you use to identify messages the less effective it becomes, which goes against the normal criticism of security through obscurity.

Interesting stuff.

Security through obscurity - steganography - is useful if you're a criminal or terrorist organization living in the shadows. But if you're not living in the shadows, proper security techniques are your best bet. — yfeldblum, Feb 10 '09 at 22:26
"Criminal or terrorist" gets a bit philosophical. Do you include Huguenots, samizdat publishers in the USSR, and Iranian homosexuals? — Brent.Longborough, Feb 11 '09 at 10:30

z - · Answer 4 · 2009-02-10T20:17:52.253

13

The main reason it is a bad idea is that it does not FIX the underlying problems, just attempts to hide them. Sooner or later, the problems will be discovered.

Also, extra encryption will incur additional overhead.

Finally excessive obscurity (like using checksums) makes maintenance a nightmare.

Better security alternatives is to eliminate potential weaknesses in your code such as enforced inputs to prevent injection attacks.

edited Feb 10 '09 at 20:17

answered Feb 10 '09 at 20:12

z -

7,130
3
40
68

It's code integrity checking techniques, yes, but it was used to encrypt some aspects of the DB connections. – Jrgns Feb 10 '09 at 20:15
depending on how often your DB will be hit, adding in a few extra steps of encrypting/decrpyting could incur a huge overhead. – z - Feb 10 '09 at 20:33
however, if its for extra sensitive information, those kind of extra security measures could be understandable. You definitely don't want to broadcast SSNs in the clear on any network. – z - Feb 10 '09 at 20:34
but then... there is a difference between obscurity and encryption so what you are really doing then is encryption? – z - Feb 10 '09 at 20:38

score 7 · Answer 5 · answered Feb 10 '09 at 20:34

7

One factor the ability to recover from a security breach. If someone discovers your password, just reset it. But if someone uncovers your obscure scheme, you're hosed.

answered Feb 10 '09 at 20:34

John D. Cook

29,517
10
67
94

score 6 · Answer 6 · answered Feb 10 '09 at 21:18

6

Using obscurity as all these people agree is not security, its buying yourself time. That said having a decent security system implemented then adding an extra layer of obscurity is still useful. Lets say tomorrow someone finds an unbeatable crack/hole in the ssh service that can't be patched immediately.

As a rule I've implemented in house... all public facing servers expose only the ports needed ( http/https ) and nothing more. One public facing server then will have ssh exposed to the internet at some obscure high numbered port and a port scanning trigger setup to block any IP's that try to find it.

Obscurity has its place in the world of security, but not as the first and last line of defense. In the example above, I don't get any script/bot attacks on ssh because they don't want to spend the time searching for a non-standard ssh service port and if they do, their unlikely to find it before another layer of security steps in and cuts them off.

answered Feb 10 '09 at 21:18

David

17,673
10
68
97

A distributed scan could break through your obscurity. I could scan for your SSH port with only one computer if I scan through TOR. – Lunatic Experimentalist Aug 30 '10 at 22:38
And he can easily blacklist the TOR network. If you buy proxies, they're probably going to be on the same subnet, which he could throttle. These kinds of barriers are not pointless. – Eric Feb 05 '15 at 21:05
@EricMuyser For a client with a USA only market, I ended up whitelisting only ARIN. That was a fairly effective strategy for everything but 0day robots. – David Feb 07 '15 at 16:47
Obscurity can be a really great tool to stop bots. And in many security settings they are your biggest concern by far. There are so many bots out there nowadays exploiting security holes in popular software like Wordpress and just trying to hack as many sites as possible. – Gellweiler Jan 06 '21 at 12:43

score 4 · Answer 7 · answered Feb 10 '09 at 22:21

All of the forms of security available are actually forms of security through obscurity. Each method increases in complexity and provides better security but they all rely on some algorithm and one or more keys to restore the encrypted data. "Security through obscurity" as most call it is when someone chooses one of the simplest and easiest to crack algorithms.

Algorithms such as character shifting are easy to implement and easy to crack, that's why they are a bad idea. It's probably better than nothing, but it will, at most, only stop a casual glance at the data from being easily read.

There are excellent resources on the Internet you can use to educate yourself about all of the available encryption methods and their strengths and weaknesses.

score 4 · Answer 8 · answered Feb 11 '09 at 16:43

Security is about letting people in or keeping them out depending on what they know, who they are, or what they have. Currently, biometrics aren't good at finding who you are, and there's always going to be problems with it (fingerprint readers for somebody who's been in a bad accident, forged fingerprints, etc.). So, actually, much of security is about obfuscating something.

Good security is about keeping the stuff you have to keep secret to a minimum. If you've got a properly encrypted AES channel, you can let the bad guys see everything about it except the password, and you're safe. This means you have a much smaller area open to attack, and can concentrate on securing the passwords. (Not that that's trivial.)

In order to do that, you have to have confidence in everything but the password. This normally means using industry-standard crypto that numerous experts have looked at. Anybody can create a cipher they can't break, but not everybody can make a cipher Bruce Schneier can't break. Since there's a thorough lack of theoretical foundations for cipher security, the security of a cipher is determined by having a lot of very smart and knowledgeable people try to come up with attacks, even if they're not practical (attacks on ciphers always get better, never worse). This means the crypto algorithm needs to be widely known. I have very strong confidence in the Advanced Encryption Standard, and almost none in a proprietary algorithm Joe wrote and obfuscated.

However, there's been problems with implementations of crypto algorithms. It's easy to inadvertantly leave holes whereby the key can be found, or other mischief done. It happened with an alternate signature field for PGP, and weaknesses with SSL implemented on Debian Linux. It's even happened to OpenBSD, which is probably the most secure operating system readily available (I think it's up to two exploits in ten years). Therefore, these should be done by a reputable company, and I'd feel better if the implementations were open source. (Closed source won't stop a determined attacker, but it'll make it harder for random good guys to find holes to be closed.)

Therefore, if I wanted security, I'd try to have my system as reliable as possible, which means as open as possible except for the password.

Layering security by obscurity on top of an already secure system might help some, but if the system's secure it won't be necessary, and if it's insecure the best thing is to make it secure. Think of obscurity like the less reputable forms of "alternative medicine" - it is very unlikely to help much, and while it's unlikely to hurt much by itself it may make the patient less likely to see a competent doctor or computer security specialist, whichever.

Lastly, I'd like to make a completely unsolicited and disinterested plug for Bruce Schneier's blog, as nothing more than an interested reader. I've learned a lot about security from it.

score 3 · Answer 9 · answered Feb 10 '09 at 20:27

3

One of the best ways of evaluating, testing or improving a security product is to have it banged on by a large, clever peer group.

Products that rely for their security on being a "black box" can't have the benefit of this kind of test. Of course, being a "black box" always invites the suspicion (often justified) that they wouldn't stand up to that kind of scrutiny anyway.

answered Feb 10 '09 at 20:27

Brent.Longborough

9,567
10
42
62

"One of the best ways of evaluating, testing or improving a security product is to have it banged on by a large, clever peer group." - agreed. So, clearly, you should post your DB details here, along with all relevant routines. Let us "play" on your DB, and we'll tell you how secure it is. :) – abelenky Feb 10 '09 at 20:32
@abelenky: If I were the inventor/owner of a software that was a "Totally Secure DB System" I'd be happy for it to be banged on, and as a prospective user I'd expect it to be secure even if all my schemas were published. – Brent.Longborough Feb 11 '09 at 01:06

score 3 · Answer 10 · answered Feb 11 '09 at 15:14

I argued in one case that password protection is really security through obscurity. The only security I can think of that wouldn't be STO is some sort of biometric security.

Besides that bit of semantics and nit picking, STO (Security through obscurity) is obviously bad in any case where you need real security. However, there might be cases where it doesn't matter. I'll often XOR pad a text file i don't want anyone reading. But I don't really care if they do, i'd just prefer that it not be read. In that case, it doesn't matter, and an XOR pad is a perfect example of an easy to find out STO.

Yes, I have been wondering what the difference is myself. – Rimian Mar 05 '10 at 02:22 — Rimian, Mar 05 '10 at 02:22

score 2 · Answer 11 · answered Feb 10 '09 at 20:14

2

It is almost never a good idea. It is the same to say, is it a good idea to drive without seatbelt? Of course you can find some cases where it fits, but the anwser due to experience seems obvious.

answered Feb 10 '09 at 20:14

Fernando Miguélez

11,196
6
36
54

It's more like driving with a cardboard seatbelt. It looks secure at a glance, but it doesn't offer any real protection. – Greg Feb 10 '09 at 20:16
Cardboard seatbelt covered with shards of glass. Even if there isn't an accident, you will still be in pain. – EBGreen Feb 10 '09 at 20:18
Not the right metaphor. More like driving at insane speeds without a seatbelt down hard-to-find back roads hoping no one else discovered the back roads. – S.Lott Feb 10 '09 at 20:24

score 2 · Answer 12 · answered Feb 10 '09 at 22:44

Weak encryption will only deter the least motivated hackers, so it isn't valueless, it just isn't very valuable, especially when strong encryption, like AES, is available.

Security through obscurity is based on the assumption that you are smart and your users are stupid. If that assumption is based on arrogance, and not empirical data, then your users- and hackers-- will determine how to invoke the hidden method, bring up the unlinked page, decompile and extract the plain text password from the .dll, etc.

That said, providing comprehensive meta-data to users is not a good idea, and obscuring is perfectly valid technique as long as you back it up with encryption, authorization, authentication and all those other principles of security.

RussellH · Answer 13 · 2009-02-10T22:52:53.393

1

If the OS is Windows, look at using the Data Protection API (DPAPI). It is not security by obscurity, and is a good way to store login credentials for an unattended process. As pretty much everyone is saying here, security through obscurity doesn't give you much protection.

http://msdn.microsoft.com/en-us/library/ms995355.aspx

http://msdn.microsoft.com/en-us/library/ms998280.aspx

edited Feb 10 '09 at 22:52

answered Feb 10 '09 at 22:35

RussellH

1,239
1
9
13

score 1 · Answer 14 · answered Feb 11 '09 at 17:50

The one point I have to add which hasn't been touched on yet is the incredible ability of the internet to smash security through obscurity.

As has been shown time and time again, if your only defense is that "nobody knows the back door/bug/exploit is there", then all it takes is for one person to stumble across it and, within minutes, hundreds of people will know. The next day, pretty much everyone who wants to know, will. Ouch.

Why is security through obscurity a bad idea?

14 Answers14

Linked

Related