Obscure URL == key?



  • Maybe it is too academic, but one might argue that obscure URL like url?admin=3310 is not security by obscurity.

    If you have to guess the correct value by trying 3301, 3302, ..., how is it different to, say, bruteforcing a DES key?

    It is also a key, just with a much smaller keyspace, hence URL with secret ID is not security by obscurity. Though, still doesn't change the fact that the whole scheme is piss poor.

    OTOH, url/controlpanel.php?loggedin is security by obscurity.



  • I have just learned that this forum software works in a very unconventional way.



  • Kerckhoffs' law: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

    In this case, if I have the source code, a packet capture session, or an admin's web history (amongst other things) the system becomes compromised. This is definitely security through obscurity, though definitely not as bad as the controlpanel.php?loggedin example.



  • If you have the source code, you have the key (though can still be argued), if you get a packet capture session or an admin's web history you get the key too, which is no different as if the number in the URL was replaced by a key passed in the URL :)



    As I said, this discussion was purely academic :)



  • And why you assumed the magic number would be in the source code? Maybe it is stored in .htpasswd.



  • @Mr. Gibbons said:

    If you have the source code, you have the key (though can still be argued), if you get a packet capture session or an admin's web history you get the key too, which is no different as if the number in the URL was replaced by a key passed in the URL :)

    I'm not sure I see what you're getting at. It's entirely possible to create a system which remains secure even when a hacker gets a packet capture session or a web history. I'd argue that anything less than that suffers from security through obscurity issues.

    @Mr. Gibbons said:

    And why you assumed the magic number would be in the source code? Maybe it is stored in .htpasswd.

    Valid point. I guess I assumed that anyone who would think of encrypting the magic number would take the time to make a proper login mechanism :)



  • The only trouble I'd have with that is as the url is displayed in the browser it's like having a textbox always showing on the screen with the admin password in it for anyone passing by. If this is for use by normal users it's also too easy for them to copy/paste the url without realising its signifigance.

    Other than that if the number is treated correctly it could infact just be considered as a password. Although a quick login form, post, and a cookie would work nicer as it's not displayed on screen anymore. Plus it implies to a user that they should not give out that number.


Log in to reply