Security through obscurity

From Jonathan Gardner's Tech Wiki
Jump to: navigation, search

"Security through obscurity" is any practice that tries to secure a system by hiding the details of the system. This is a bad way to make a system secure.

For instance, if I try to keep my house safe by removing my home address from every known source, I really wouldn't be doing much to make my house safer. Putting a lock on the front door would be far more effective.

The real problem is that information is very difficult to secure. You can try to hide information, but we humans are really, really good at figuring things out even when there is no information on the subject. If you are a lock manufacturer, and you think you can make your locks secure by keeping the designs secret, you are forgetting that any guy can buy one of your locks and disassemble it, by force if necessary, to see how it really works.

"Security through obscurity" also means trying to make your system secure by misinformation. Again, don't think that bad information is any better than no information.

A secure system doesn't rely on the design of the system being kept a secret. It relies on other methods, methods such as having a secret that is practically impossible to guess, or having some kind of identifiers that are almost impossible to forge.

Retrieved from "https://tech.jonathangardner.net/w/index.php?title=Security_through_obscurity&oldid=1347"