Obscurity Isn't Security, but It Helps

Tuesday, April 03, 2018

If you've ever heard someone pooh-poohing "security by obscurity" (but wondered if he knew what he was talking about), Daniel Miessler has some food for thought over at his eponymous blog:

Photo by Allef Vinicius on Unsplash
Many of us are familiar with a concept known as Security by Obscurity. The term has negative connotations within the infosec community -- usually for the wrong reason. There's little debate about whether security by obscurity is bad; this is true because it means the secret being hidden is the key to the entire system's security.

When added to a system that already has decent controls in place, however, obscurity not only doesn't hurt you but can be a strong addition to an overall security posture. [minor edits]
It had always truck me as strange to hear people disparage obscurity as a security measure, but I never gave it more thought than, "It certainly doesn't hurt, and I'm pretty sure it can help." (That said, I was not making the incorrect assumption, that obscurity can carry the whole load, though. Some people do.)

What Miessler does in the rest of his post is walk through is the nature of the benefit of obscurity and explain exactly how it helps. For the mathematically inclined, he even reduces this down to a product of conditional probabilities. But the math is easily translated into plain English: Obscurity reduces your odds of being attacked in the first place, but you should avail yourself of ways to reduce the effects of a successful attack, too.

-- CAV


RT said...

Yes, Com-Sci students get the lesson drilled into them: "Do not trust in obscurity."
A good lesson.
But, too many take it to mean "Obscurity is bad" or "Obscurity is something naive people do"
IRL, security around important artifacts must always be multi-layered and a layer of obscurity can help against the Day-0 attack against a suddenly-vulnerable algorithm.

Gus Van Horn said...


Good point. Sometimes, obscurity might be all you have against newly-discovered threats.


Dinwar said...

This reminds me of my thoughts on the gun control debate. The Democrats want to prevent dangerous situations by removing the tools which allow people to create such situations (and stripping us of multiple rights, treating us all as violent criminals, in the process). The Right focuses on dealing with dangerous situations should they arise. A rational view is to do both: prevent dangerous situations via a police presence focused on protecting the public and individual actions (not making one's self a target), but being prepared to deal with any bad situations should they arise.

The idea that any one tool is a be-all, end-all of security in any situation is naïve; the idea that a tool is not useful because naïve people use it is obviously fallacious.

Gus Van Horn said...


Your last sentence reminds me of the '60/70's and the "don't trust anyone over 30" mentality as a whole. Just because something is old or unfashionable doesn't make it even a good rule of thumb to toss it aside.