Edit - Unix & Linux Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

2

"Security by obscurity" is used at lot by many who like the easiness of the sentence... but it's not always relevant. When you have a RSA private key, it's obscurity. If someone could guess that PK, they're in. Of course the odds are different, but having a 2^63 ports isn't the only security point, it's just an added feature. Then you have the security linked to ssh. On the one side you have ssh, on the other you have ssh+2^63 ports.

Déjà vu
– Déjà vu

2021-05-17 10:04:03 +00:00
Commented May 17, 2021 at 10:04
3

@Breakingnotsobad you confuse "obscurity" with "secret". Both are unknown, but "Security by obscurity" refers to using something unknown but guessable, such as a version number of the webserver, while cryptographic secrets are not guessable under reasonable assumptions (such as wanting to guess it within the lifetime of the solar system)

Tom
– Tom

2021-05-17 10:08:28 +00:00
Commented May 17, 2021 at 10:08
3

@Tom The two definitions are debated on other sites, so let's not start a vocabulary trick war. And 2^63 guessable? Provided that you have to do a network request per port? We're not far from the age of the solar system: "guessable" is also debatable here and comparing a version number to a random 2^63 does not make sense. The number would be closer to "secret" than "obscurity". And, again, behind the scene all the current ssh security is also at work... Combining the ssh security and 2^63 makes it quite strong. (at 1000 requests per second, it would take 300 million years to "guess" the port)

Déjà vu
– Déjà vu

2021-05-17 10:25:36 +00:00
Commented May 17, 2021 at 10:25
1

@Breakingnotsobad not easily guessable, no. But I object to calling a secret key "security by obscurity". That's not how we generally use that term. Heck, you would be closer to call a password "security by obscurity" and we don't even us it for that.

Tom
– Tom

2021-05-17 17:31:10 +00:00
Commented May 17, 2021 at 17:31
1

@DmitryGrigoryev It's still not security by obscurity, as you reduce possible attackers from anyone on the internet to only those attackers beings in the path and able to accomplish passive MitM attack (sniff the traffic / logs). Which is kind of same thing as firewalls do (reduce number of possible attackers). So it's not a holy grail (nothing is!), but it's far from useless.

Matija Nalis
– Matija Nalis

2021-05-20 10:20:46 +00:00
Commented May 20, 2021 at 10:20

| Show 3 more comments

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »