|
|
Posted by David Haynes on 04/03/06 17:20
Michael Trausch wrote:
> Jerry Stuckle wrote:
>> David,
>>
>> No, masking is false security.
>>
>
> Security through obscurity does not tend to work for very long periods
> of time... Jerry is right. It is effectively giving you a false sense
> of security in that you feel that you're eliminating information from an
> attacker. There are many ways to find out if PHP is running on the
> system or not, outside of your control as the application writer. It's
> best to just follow the conventions that are out there for web content.
> This will keep your application portable, as well as enable the coders
> involved to know at a glance what language your modules are written in
> when they look at them. If you use PHP, Perl, and Ruby in your
> environment, file extensions are a good thing.
>
> If you truly want security, then test your application against different
> types of attacks that it can and likely will be subject to.
>
> Check to ensure that you aren't using register_globals so that your
> global namespace isn't tainted. Ensure that your application is not
> subject to SQL injection attacks. Verify that you're able to spew lots
> of garbage at it and get nothing valid back. Ensure that cookies can't
> be crafted (if your application uses cookies) by an attacker. Be sure
> that your application isn't vulnerable to replay attacks.
>
> Those are some of the points of security that you need to watch out for,
> that will heighten your level of safety in operating the application.
> The job of keeping things secure, however, is almost never done;
> somebody, somewhere, will find ways to get around things, and then you
> have to circumvent them. Hopefully, before any compromise is made.
>
> - Mike
Mike:
I understand all that.
There is a level of weak security sometimes called 'security through
obscurity' that URL hiding falls into. I agree it's not sufficient but,
then again, nothing is absolute when talking about security.
At best, you build walls within walls to increase the technical
knowledge required to defeat the system. Sometimes you can add to the
fun by adding false information to the mix. For example, if I change my
php mapping to, say, asp, an inexperienced hacker will spend time
chasing a blind alley (i.e. attempting asp exploits against a php system).
Smarter hackers will not trust the asp signature and probe for other
corroborating information, but we have reduced the total population of
hackers hitting the site - which is one of the objectives of security.
Yes, it fails if the hacker is persistent, but the profile of the
amateur hacker is one of quick in/quick out. If they don't crack it
immediately, they tend to move on to easier prey unless there is some
compelling reward for continuing their efforts.
Organizations use security through obscurity all the time. They will
order equipment to be delivered to a sidewalk location with instructions
to 'drop it and leave the area'. The goal here is that the delivery
person has no idea of the final destination of the goods making it much
more difficult for the delivery person to supply location information to
some third party. Often buildings with security requirements are hidden
by mislabeling them or having no identification information on them at
all. URL masking is like dropping the package on the side walk or
mislabeling the building - it hides information from the attacker.
You and Jerry seem to be implying that I said that URL hiding
represented all the security you needed - which I never said. I was
simply objecting to Jerry's (and now your) assertion that URL hiding was
not a viable element within the security plan for a site.
-david-
Navigation:
[Reply to this message]
|