Bugtraq mailing list archives
RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: Andrew Gerweck <gerweck () yahoo com>
Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT)
does not qualify as an exploit. This information would seem useful only if we believed that security through obscurity had merit. Compound this with the fact that most people are not even
Doesn't security by obscurity have some value? In my opinion, it's naive to think that it's okay for software to disclose unnecessary information about its users. While obscurity alone is hardly a good security policy, it's one tool in a toolbox that can help keep a system secure. I don't think that there are many examples of functional security systems that don't involve obscurity on some level. Whether it's a private key, a secret password or a unique credit card number, or the particular patterns on your fovea, there's always something obscure involved in security. Particularly in the case of massively used software, obscurity isn't always a bad thing. Contrary to popular slogans, obscurity is often preferable to nothing, and can complement a real security policy quite nicely. I'm not advocating the obscurity in which security holes in widely used software are kept secret. I think that certain internet security communities do themselves a great disservice by pretending that obscurity means nothing. That mentality is useful when designing a security policy, but not as a mantra for application to every situation. I'm trying to avoid a flamewar by repeating: obscurity is not a good security policy. It is often useful to treat it as completely valueless. I'm simply suggesting that it's not valueless in all cases, and we understand unnecessary information disclosure to represent a security problem, instead of dismissing it. --Andrew Gerweck __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
Current thread:
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Andrew Gerweck (Jun 08)
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Greg A. Woods (Jun 10)
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Thomas Corriher (Jun 10)