If you've had to say this to both of the commentators who've replied, perhaps you should try to come up with a different example that better conveys the point you are trying to make...
No, the responses to the comment are a common fallacy on display, where rather than addressing the point of the thought experiment, which is clear enough, people attack the premise. There is no amount of defensive writing[1] that can bring relief to this situation.
I actually somewhat agree with your point, your example is simply not realistic. Your point is correct because people are using the term security by obscurity wrong. Security by obscurity means that you rely on the secret implementation of your algorithm. Our best encryption algorithms are public so they can be poked and peer reviewed. You are right in the fact that through enough obscurity of the key, you attain security as it's non feasible statistically to brute force.
If you have a public & unlisted endpoint that looks like
with an Authorization header containing this key for example.
(Well, not exactly the same, as most access logs will include the first and not the second, but for the sake of the argument)
p.s. I don't agree for example that
VERYLONGANDRANDOMKEY.example.com is the same, as if I'm not mistaken, if you just scan the entire IP range, then try to do a reverse DNS lookup, you'll end up finding it anyway.
Ahh.. OK. Yeah, I wasn't trying to make a realistic example. Yes, completely agree with your reply.
By the way I think the reason that people, including myself, are confused about what exactly security by obscurity means, is that even the experts don't explain it very clearly.
An example that always comes into my mind when we talk about security by obscurity is the one give int he "Applied Cryptography" book:
"If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity."
If you've had to say this to both of the commentators who've replied, perhaps you should try to come up with a different example that better conveys the point you are trying to make...
No, the responses to the comment are a common fallacy on display, where rather than addressing the point of the thought experiment, which is clear enough, people attack the premise. There is no amount of defensive writing[1] that can bring relief to this situation.
1. https://pchiusano.github.io/2014-10-11/defensive-writing.htm...
I actually somewhat agree with your point, your example is simply not realistic. Your point is correct because people are using the term security by obscurity wrong. Security by obscurity means that you rely on the secret implementation of your algorithm. Our best encryption algorithms are public so they can be poked and peer reviewed. You are right in the fact that through enough obscurity of the key, you attain security as it's non feasible statistically to brute force.
If you have a public & unlisted endpoint that looks like
https://example.com/VERYLONGANDRANDOMKEY
You might argue it's as good as a request to
https://example.com
with an Authorization header containing this key for example.
(Well, not exactly the same, as most access logs will include the first and not the second, but for the sake of the argument)
p.s. I don't agree for example that
VERYLONGANDRANDOMKEY.example.com is the same, as if I'm not mistaken, if you just scan the entire IP range, then try to do a reverse DNS lookup, you'll end up finding it anyway.
Ahh.. OK. Yeah, I wasn't trying to make a realistic example. Yes, completely agree with your reply.
By the way I think the reason that people, including myself, are confused about what exactly security by obscurity means, is that even the experts don't explain it very clearly.
An example that always comes into my mind when we talk about security by obscurity is the one give int he "Applied Cryptography" book:
"If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. That's obscurity."