[WEB SECURITY] (no subject) Content preview: Hi, On 5 Feb 2013, at 07:52, Bolger, Ken wrote: > My first thoughts are that this change violates the “minimise attack surface” and “separation of privilege” security > principles. However, enforcement of these principles is performed on the server side regardless of whether the > options are presented to the user. [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (stephendv[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.9 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list

Pete Herzog lists at isecom.org
Tue Feb 5 04:34:58 EST 2013


On 2/5/2013 9:02 AM, Stephen de Vries wrote:

> Exactly.  Real security is implemented on the server side and doesn't depend on the options presented in the UI.  If that security control fails then you have a serious security vulnerability, whether or not the options are presented to the user.  Not presenting the options adds a layer of "security through obscurity" which is no security at all, so no real point implementing it.

It's a great discussion because web apps are complicated beasts to 
fence in. So I always like to see how people are dealing with it on a 
whole. But I don't think generalized statements like the one about 
security through obscurity can help. Research has shown time and again 
that obscurity can control certain types of interactions where 
operations require them to be there but not be so obvious. This is 
true in web apps, services, wifi, street safety, and war. It can't 
control all interactions so as to create security, but no single 
control can do that. In attack surface measurements, obscurity as a 
poor form of authentication is right up there with user-generated 
passwords as a poor form of authentication. Neither holds up under a 
microscope. So I wonder why obscurity gets such a bad rep when here I 
thought most like a good masquerade party. ;)  Either that or the 
whole make a login/password ensemble is sleeping with the right folks 
to get left alone :)

My informed opinion shows that a little privacy can go a long way and 
while server-side security is best, it doesn't hurt for your server to 
keep its rejections to itself and bottle it up inside to its own logs 
like people aren't supposed to. But we're not really worried about the 
servers mental health here... at least not until Skynet goes self 
aware. tick tock tick tock


Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

More information about the websecurity mailing list