Security vs Security Through Obscurity

Security through obscurity? What does that even mean? Security through obscurity is the reliance on the secrecy of the implementation of a system or components of a system to keep it secure. It’s not truly analogous, but imagine it being like hiding your car instead of locking it, to try to keep it from being stolen. It might slow the thief that expects it to be in your driveway, but when some thief does happen upon it, it’s easy pickings. The reason that analogy is bad, is because it’s rare that you find someone that uses security by obscurity as their only means of security. They don’t usually hide the admin page of their site instead of having a username and password. However, it’s quite common to see people use obscurity as a replacement for good security. Thinking that a weak password is okay because no one knows where to go to log in anyway is dangerous.

Types of Security

There are three basic types of security: security by design, security by openness, and security by obscurity. The first two have been proven over and over to be extremely effective, even on their own. Security by design means pretty much what it sounds like. A system is designed from the beginning with security in mind. Malicious intent is assumed. User input and often even internals are not trusted. Instead rules are enforced and everything is checked and validated. Security by openness relies on Linus’s Law, which states that “given enough eyeballs, all bugs are shallow” (an obvious adaptation of the oft proven idiom “many hands make light work”). It puts the code in front of lots of people by opening it up, and relies on the efforts of the masses to find and close any security vulnerabilities. All of the most popular open source applications use this method, from WordPress to Linux, and it has been extremely successful. By contrast, security through obscurity hasn’t been proven to work on its own. A common mantra among digital security professionals is “security by obscurity is not security at all.” Even the National Institute of Standards and Technology, in their Guide to General Server Security (PDF) teach against it:

Open Design — System security should not depend on the secrecy of the implementation or its components.

The question of whether secrecy of systems is beneficial for security is not new. Alfred Charles Hobbs, a locksmith, wrote a book in 1853 titled “Construction of Locks and Safes“. In it he said that “many well-meaning persons” assume that public exposure of a lock’s insecure design will end up helping criminals. His response to this concern applies as directly to today’s technical systems as it did to the locks of the nineteenth century:

Rogues are very keen in their profession, and know already much more than we can teach them.

The Truth about Security

Security doesn’t have to be limited to one type though. Actually, great security usually isn’t. Instead, it’s like a Kevlar vest. Kevlar does not stop bullets. Stop and think about that for a moment. The most common type of bullet proof (resistant) vests are made of a material that does not stop bullets. Not even small ones. However, with enough layers of Kevlar, bullets are stopped and their impact is spread safely across a larger impact zone. Security should come in layers too, but, like Kevlar, each should be carefully planned and considered. A good layered security plan will include things like:

• Keeping your software up to date. This includes WordPress along with it’s plugins and themes, but also includes your version of PHP, Apache or nginx, MySQL, etc on your web server. If you don’t want to be responsible for these, then choosing a good host should be part of your security plan. To keep WordPress, themes and plugins up to date, easily and from one place, you can use iThemes Sync (free for 10 sites).
• A strong password policy. Notice that I didn’t say “a strong password”. That’s because you really should have a unique strong password for everything. Use a password manager like LastPass or 1Password to make your passwords long, random, and unique to each site (I personally use 50+ character passwords). Again, this is for more than just your website. Implement these safe and unique passwords for SFTP, your control panel, your email, and anywhere else you can. Each of these is a potential point of entry. In iThemes Security Pro, you can use the Enforce Strong Passwords feature to enforce strong passwords by user roles (admins, editors, users, etc.).
• Two Factor Authentication. This is not a replacement for a strong password policy; rather, adding two factor authentication on top of a strong password policy gives an extra layer of protection against attacks. Implement two factor authentication wherever you can. iThemes Security Pro helps you easily add two factor authentication to your WordPress website, but again you should look for other areas to secure as well. Add it to your Gmail, to your host’s control panel if they support it (or ask them to support it), to your Sync dashboard, etc.
• Using SSL. Buy an SSL cert for your site and get it set up. When you log into your site over http, your password is sent in plain text and is more vulnerable to being caught somewhere between you and your server. Using https means that it is encrypted by your browser, sent in it’s encrypted form, and unencrypted by your server. I’m going to start sounding like a broken record, but this is not just for your website. Make sure you’re also using SFTP instead of FTP, that you are accessing your control panel over SSL, etc. If you are unsure how to set up SSL or switch to using SFTP, talk to your host about it. They can usually help you take care of it. Additionally, once the SSL is set up, you can use iThemes Security (Pro and Free), you can also enforce SSL connections per page, login/admin area, or on the whole site.
• Limiting login attempts. There is no real reason that someone should need more than three or five tries to enter their password successfully. In these cases, lock them out. iThemes Security offers a free IP Network Banning feature that does just this.

These are some great layers that should be at the base of your security policy, but they are really all security by design. Does that mean security by obscurity really is useless? No, it just needs to be used cautiously.

Obscurity as a Layer

The Internet is a war zone and your website is there in the middle of it. Lets imagine our site as a vehicle going into this war. We want to be like the M1A2 Abrams tank. It has composite armor formed by spacing multiple layers of various alloys of steel, ceramics, plastic composites, and Kevlar, getting over five feet thick in the most heavily reinforced areas! This is augmented with an active protection system that includes missile countermeasures. They also have camouflage. It’s another layer. Not one they rely on heavily, but it’s there. This is the vehicle I want my website to be. Maybe someone won’t even see it, but when they do (and in war that has to be assumed to be an inevitability), I’m still protected.

So what does this mean for your website?

Implement the most effective layers of security first; updates, strong passwords, two factor, SSL, and limiting login attempts. Then, add additional layers when and how they make sense. I add obscurity by making sure that my passwords aren’t written down anywhere, by never telling them to anyone else for any reason, and by being aware of who might be watching when I enter those passwords. I make sure that the layers of obscurity are effective and that they don’t interfere with the functionality of the other, more important layers.