[WEB SECURITY] Secure Web UI Design

Stephen de Vries stephendv at gmail.com
Tue Feb 5 06:51:14 EST 2013

Hi Pete,

On 5 Feb 2013, at 10:34, Pete Herzog wrote:

> But I don't think generalized statements like the one about security through obscurity can help. Research has shown time and again that obscurity can control certain types of interactions where operations require them to be there but not be so obvious. This is true in web apps, services, wifi, street safety, and war.

Yes the role of obscurity in security is an interesting discussion to have[*], but coming back to Ken's original question as to whether hiding unauthorised actions provides a measurable and worthwhile form of security I stand by my original view that the security benefit is so negligible as to be practically non-existent.

Rather than focus limited security resources on hiding actions, I would focus them on testing and verifying that the server side controls are properly implemented.  In fact, in the right testing environment, by displaying the disabled links/buttons/widgets to the user, access control tests can more easily be performed by QA testers or automated testing scripts. 

> My informed opinion shows that a little privacy can go a long way and while server-side security is best, it doesn't hurt for your server to keep its rejections to itself and bottle it up inside to its own logs like people aren't supposed to.

Mmmm, I'd take the opposite view :) 
Having an application announce attempted security violations provides a deterrent to attackers, particularly to legitimate users who attempt to escalate their level of privilege.  Include the source IP address in the violation message and there's a good chance you'll scare the bejesus out of a lot of opportunistic attackers.

[*] You could argue that not only does obscurity aid security, but in fact it forms the basis for confidentiality and crypto.  What is a secret, if not a sufficiently obscure piece of data?  So we end up talking about degrees of obscurity, and in the context of the original question, I don't believe that the degree of obscurity provided by not displaying web actions provides a sufficient amount of security as to be worthwhile.


More information about the websecurity mailing list