| ▲ | MattPalmer1086 6 hours ago | |||||||
Kerkhoff's principle is not about security in general, it is about the design of cryptography. Assume your opponent knows everything about how your crypto system works. Your security then lies in the keys and not knowledge of the method. More broadly, anything that raises the cost of an attack helps security. Whether it is worth investing your defensive effort in that vs on more actual security is a different matter. | ||||||||
| ▲ | rileymat2 6 hours ago | parent | next [-] | |||||||
If it does not obscure your own view of the security or reasoning about the security stance. For instance, with respect to url parameters, I have seen people being told they have an Insecure Direct Object Reference, then apply base64 encoding to it to obscure what is going on. To QA they don't notice it looks like junk, it is obscure, but base64 encoded parameters are catnip to hackers. So in this case, the obscurity made the system worse over time. Heck, the most cringeworthy phrase "Base64 Encryption" which I have heard many many times. | ||||||||
| ||||||||
| ▲ | catlifeonmars an hour ago | parent | prev [-] | |||||||
I agree, that anything that raises the cost of an attack may be worth doing. Most “obscurity” related practices do not meaningfully raise the cost of an attack beyond a certain threshold. Physical locks are not a great analogy. | ||||||||