If port numbers were 64bit or 128bit, actually it would provide a meaningful amount of security through obscurity. Port numbers are easy to dunk on because it’s such a trivially small search space.

▲

sudb 9 hours ago | parent | next [-]

Similarly I've often flip-flopped on the safety of public API endpoints that are "protected" by virtue of no sitemap + UUIDs in the URL path - I think the answer ultimately is that this is fine so long as there's no way to enumerate the IDs in use?

	▲	vlovich123 9 hours ago \| parent [-]
		It’s fine as a hardening measure, not as a security measure. The lack of a site map doesn’t necessarily guarantee it doesn’t leak somehow and then the question is what happens after it leaks

▲

gavmor 4 hours ago | parent | prev | next [-]

But at this point, that's like saying my password is merely 'obscure.'

▲

i_think_so 5 hours ago | parent | prev [-]

Good luck scanning 64k ports on a server that has a few randomly assigned fail2ban listeners.