undefined | Better HN

0 pointslyu072821y ago0 comments

> Obscurity is a fine strategy

> Subdomains can be passwords and a well crafted subdomain should not leak

Your comment is really odd to read I'm not sure I understand you, but I'm sure you don't mean it like that. Just to re-iterate the important points:

1. Do not rely on subdomains for security, subdomains can easily leak in innumerable ways including in ways outside of your control.

2. Security by obscurity must never be relied on for security but can be part of a larger defense in depth strategy.

---

https://cwe.mitre.org/data/definitions/656.html

> This reliance on "security through obscurity" can produce resultant weaknesses if an attacker is able to reverse engineer the inner workings of the mechanism. Note that obscurity can be one small part of defense in depth, since it can create more work for an attacker; however, it is a significant risk if used as the primary means of protection.

0 comments

TZubiri1y ago

It's a pretty weak cve category.

"The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism."

If you can defeat the mechanism, that's not very impactful if it's one stage of a multi-round mechanism. Especially if vulnerating or crossing that perimeter alerts the admin!

Lots of uncreative blue teamers here

1 more reply

j / k navigate · click thread line to collapse