[Catalyst] OT: security through obscurity (was: Encrypt/Decrypt
URI)
Christian Storm
storm at iparadigms.com
Fri May 18 18:13:18 GMT 2007
On May 18, 2007, at 9:46 AM, Jonathan T. Rockway wrote:
> Obscurity is a "constant factor". As soon as one person figures out
> your obfuscation, it's useless. When someone figures our your real
> security, it does them no good at all. Since there are 6_000_000_000
> people in the world, it's likely that someone has already figured our
> your obscurity, so only real security matters.
Steganography is good for 'flying below the radar' but a web app
isn't about that.
> Finally, the hmac+md5 urls sounds sound from a security standpoint,
> but it's a really dumb way to write a web app.
I would have to disagree. I think it is all about layers of
defense. Relying on
this alone is 'a dumb way to write a web app'. Having this at the top
of your security stack in the request verification phase is smart.
I'll do anything
to prevent unauthorized access to sensitive information.
More information about the Catalyst
mailing list