Friday, September 20, 2019

Security by Obscurity

According to Wikipedia, "Security through obscurity is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."  Labeling the other guy's security strategy as "security by obscurity" is how we disparage it.  

However, looked at another way, all information security is about secrecy, if not obscurity.  What we think of as security can be seen as the collection of mechanisms that we use to reduce the size and number of the secrets that we must keep. 

Encrypting an object reduces the problem of hiding the file to one of hiding only the key.  Access control may reduce the problem of hiding user capabilities and privileges to one of hiding the user password.  

No comments:

Post a Comment