mailing list archives
RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: Andrew Gerweck <gerweck () yahoo com>
Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT)
does not qualify as an exploit. This information would seem
useful only if we believed that security through obscurity had
merit. Compound this with the fact that most people are not even
Doesn't security by obscurity have some value?
In my opinion, it's naive to think that it's okay for software to
disclose unnecessary information about its users. While obscurity
alone is hardly a good security policy, it's one tool in a toolbox
that can help keep a system secure.
I don't think that there are many examples of functional security
systems that don't involve obscurity on some level. Whether it's a
private key, a secret password or a unique credit card number, or the
particular patterns on your fovea, there's always something obscure
involved in security.
Particularly in the case of massively used software, obscurity isn't
always a bad thing. Contrary to popular slogans, obscurity is often
preferable to nothing, and can complement a real security policy
quite nicely. I'm not advocating the obscurity in which security
holes in widely used software are kept secret. I think that certain
internet security communities do themselves a great disservice by
pretending that obscurity means nothing. That mentality is useful
when designing a security policy, but not as a mantra for application
to every situation.
I'm trying to avoid a flamewar by repeating: obscurity is not a good
security policy. It is often useful to treat it as completely
valueless. I'm simply suggesting that it's not valueless in all
cases, and we understand unnecessary information disclosure to
represent a security problem, instead of dismissing it.
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Andrew Gerweck (Jun 08)