![]() You can redirect or serve some appropriate response, but ultimately every received request is met with some sort of response. How do defensive security techniques like firewalls and real-time scanners work? What is happening “under the hood”? They block bad requests, right? Well, technically there is no such thing as “blocking” a request. Yet for the sake of discussion, and to sharpen the proverbial sword, I will argue that, yes, this second group of techniques operates via obscurity, and therefore the thesis proves true: If Yes: Otherwise, if they work via obscurity, then the thesis is true.If No: If such techniques function via anything other than security thru obscurity, then thesis is false.Likewise with filtering, it is aimed at preventing unwanted slash bad data from messing things up.īut are these security methods also just “security by obscurity” in disguise? Or is there some other, better way to classify them? Normal site visitors should not be dealing with your firewall. Security techniques such as these deal entirely with blocking or otherwise handling unwanted requests. Real-time request checking scanners though. Some virus scanners operate after the fact and not applicable. Honeypot-type security techniques block bad bots. Generally Firewalls block unwanted requests. Like validating data, sanitizing inputs and such. This is where you could argue either way, and I encourage you to do so. It depends on perspective and of course may vary based on circumstance. So what’s the catch? Are there any exceptions that would nullify the “it’s all security by obscurity” thesis? Perhaps. I would be so bold as to surmise that most (if not all) legitimate online transactions fall into this category.ĭealing with illegitimate traffic? Not so much. So at this point in the discussion, it would be safe to answer our question with an emphatic “Yes” according to strict literal definition, all security is indeed “security through obscurity”. For example, with WordPress you can hide the version number, customize the database prefix, change the URL of the Login Page, and much more. Many other security techniques and tricks are designed to obscure access and data. If someone stole your face, they would have access. Hopefully your mobile device is not available to hackers. Hmm let’s see, securing data by obscuring it. Easy to pass when the correct response is known (not hidden). Obviously unknown (read: obscure) passwords are better than known passwords. To help bring this down to earth a bit, let’s consider a few “real world” examples of common security techniques, and then ask if they are “security via obscurity”. Returning to the definition, “obscurity” is something not discovered or known about uncertain. Is ALL security security through obscurity? So it’s all about evaluating the request and responding however is necessary to keep data secure, or not secure. Data is neutral, it does not care one way or another. Responding appropriately, based on the security needs of the site, service, or resource. That is the essence of security on the Web. And by then, you better have it worked out what the correct response will be. There is no way of knowing which requests will be made until they actually arrive at the destination. Any policy aimed at securing based on the request is utter folly at best. Contrary to popular opinion, it’s not the request that determines whether a resource is secure. As discussed this could be any type of online request, post data, download, and so forth. Some data or access that is important to you, may not be important to everyone. And the data doesn’t care one way or another. All of the technical complexities boil down to basically a send-receive transaction. ![]() Instead, look at the individual transaction. No amount of security hardening or clever policy ever can guarantee absolute security. Anyone that tells you otherwise is either lying or ignorant. How exactly does the concept of security apply to online transactions? What does it mean when we say that a website is “secure”? First and foremost, there is NO such thing as 100% security. the state of being free from danger or threat. We have algorithms and probability curves that predict how things will go. Especially online.įor any given transaction, there is no way of knowing with 100% certainty whether the response will be successful. A request is made, data posted, file downloaded, access granted. So every transaction, whether it’s for a web page, user login, API endpoint, form data, file download, whatever. The HTTP request knows not, nor could possibly know, the actual response it will receive from the server. In the purely literal sense, the concept of obscurity applies to every transaction on the Web.
0 Comments
Leave a Reply. |