Security through Obscurity … is it always applicable?

---

“Security through Obscurity”

Wikipedia definition:

Security through obscurity is a controversial principle in security engineering, which attempts to use secrecy to provide security. A system relying on it may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.

What (I think) is wrong…

Let’s say Software owners conceal (or at least try to conceal) information about specific vulnerabilities for example:

A vulnerability of Importance “X” was found in “Software A” which exploits “Threat X”.

So far so good. But let’s apply this to Latest Firefox Vulnerability.

So let’s review:

Critical: Highly critical || Impact: System access || Solution Status: Unpatched || Software: Mozilla Firefox 2.0.x, Mozilla Firefox 3.x

The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page.

And the irony ..err…solution:

Do not follow untrusted links nor browse untrusted web sites.

So in other words: If you’re one of the 8 million+ using Firefox without “NoScript” and accidentally happen to access a “specifically crafted website” then we deeply sympathise with you. (well definately it’s not your lucky day).

Obviously as a preventive solution please keep away from those ’specifically crafted websites’ until you’re vaccinated.

The thought behind it…

With software like Firefox isn’t this kind of useless since people can get to the code easier and find out anyways?

Wouldn’t it have been better if we knew what to look out for?

Just asking.