Geeks With Blogs

Things Mark Flory Forgets Because Who Needs Memory When There is the Internet


If you read enough about security in general you will hear the often touted principle of do not rely on security by obscurity.  It even has its own Wikipedia page.

You see this advice thrown out a lot when somebody does something like embedding encryption keys in their code.  The developers assumption is that the code will never be read by anyone and thus the key is safe.  I have personally seen that one cracked in about one minute.

So the advice is good, you should not RELY on security by obscurity.  It cannot be counted on.

However, does that mean you should never use obscurity at all?

A common example is code obfuscation.  A lot of people will tell you there is no point because someone determined enough, or good enough, or who just has a lot of time to waste will be able to break it down.  So absolutely, you should not rely on obfuscation to secure your application (i.e. key hiding).

But my immediate thought is: Why make it easy for them?

Why not cause them more hassle, even if it is not all that much.  What is more, the additional hassle onto itself will serve as a deterrent for the less determined, or talented, or patient.

So I believe you should assume that any information you obscure will end up in the attacker’s hands no matter what you do.  But, if there is nothing you can do about it (such as somebody reverse engineering your code), then you should obscure it anyway just to be a pain in their ass.  It is not like they are going to thank you for making it easier for them.

Posted on Wednesday, January 28, 2009 9:25 AM | Back to top

Comments on this post: Security by Obscurity

# re: Security by Obscurity
Requesting Gravatar...
More than that: a lot of people (me included) will look on any clear attempt at security as a sign that says, "Oh, he didn't want me to see that. I'll respect that." Yes, some people only see that as a challenge; but I can't believe I'm the only one who respects the "No trespassing sign."
Left by Martin L. Shoemaker on Feb 27, 2009 1:10 PM

# re: Security by Obscurity
Requesting Gravatar...
Oh, you are definitely with the majority on that one. Unfortunately though there are just a very few who do not and spoil it for everyone else.
Left by Mark Flory on Feb 27, 2009 1:17 PM

# sdf
Requesting Gravatar...
Sawyer said he tried <h1>cheap louis vuitton sunglasses</h1> tried to warn the agent to be <h3>louis vuitton belts on sale</h3> be careful with
Left by louis vuitton replica on Nov 29, 2010 6:58 PM

Your comment:
 (will show your gravatar)

Copyright © Mark Flory | Powered by: