Tue Feb 5 04:34:58 EST 2013

Hi,

On 2/5/2013 9:02 AM, Stephen de Vries wrote:

> Exactly.  Real security is implemented on the server side and doesn't depend on the options presented in the UI.  If that security control fails then you have a serious security vulnerability, whether or not the options are presented to the user.  Not presenting the options adds a layer of "security through obscurity" which is no security at all, so no real point implementing it.
>

It's a great discussion because web apps are complicated beasts to 
fence in. So I always like to see how people are dealing with it on a 
whole. But I don't think generalized statements like the one about 
security through obscurity can help. Research has shown time and again 
that obscurity can control certain types of interactions where 
operations require them to be there but not be so obvious. This is 
true in web apps, services, wifi, street safety, and war. It can't 
control all interactions so as to create security, but no single 
control can do that. In attack surface measurements, obscurity as a 
poor form of authentication is right up there with user-generated 
passwords as a poor form of authentication. Neither holds up under a 
microscope. So I wonder why obscurity gets such a bad rep when here I 
thought most like a good masquerade party. ;)  Either that or the 
whole make a login/password ensemble is sleeping with the right folks 
to get left alone :)

My informed opinion shows that a little privacy can go a long way and 
while server-side security is best, it doesn't hurt for your server to 
keep its rejections to itself and bottle it up inside to its own logs 
like people aren't supposed to. But we're not really worried about the 
servers mental health here... at least not until Skynet goes self 
aware. tick tock tick tock

-pete.

-- 
Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org