Editing Security through obscurity (section)

== Criticism ==
Security by obscurity alone is discouraged and not recommended by standards bodies. The [[National Institute of Standards and Technology]] (NIST) in the [[United States]] recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."<ref>{{cite web|date=2008-07-01|format=PDF; 258&nbsp;kB|language=en|publisher=[[National Institute of Standards and Technology]]|title=Guide to General Server Security|url=http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf|archive-date=2017-08-09|archive-url=https://web.archive.org/web/20170809023939/http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf|url-status=live}}</ref> The [[Common Weakness Enumeration]] project lists "Reliance on Security Through Obscurity" as CWE-656.<ref>{{cite web|access-date=2023-09-28|date=2008-01-18|language=en|publisher=The MITRE Corporation|title=CWE-656: Reliance on Security Through Obscurity|url=https://cwe.mitre.org/data/definitions/656.html|archive-date=2023-09-28|archive-url=https://web.archive.org/web/20230928051914/https://cwe.mitre.org/data/definitions/656.html|url-status=live}}</ref>

A large number of telecommunication and [[digital rights management]] cryptosystems use security through obscurity, but have ultimately been broken. These include components of [[GSM]], [[GEO-Mobile Radio Interface|GMR]] encryption, [[GPRS]] encryption, a number of RFID encryption schemes, and most recently [[Terrestrial Trunked Radio]] (TETRA).<ref>{{cite conference|url=https://i.blackhat.com/BH-US-23/Presentations/US-23-Meijer-All-Cops-Are-Broadcasting.pdf|title=ALL COPS ARE BROADCASTING: Breaking TETRA after decades in the shadows (slideshow)|author=Midnight Blue|date=August 2023|conference=Blackhat USA 2023|access-date=2023-08-11|archive-date=2023-08-11|archive-url=https://web.archive.org/web/20230811121629/https://i.blackhat.com/BH-US-23/Presentations/US-23-Meijer-All-Cops-Are-Broadcasting.pdf|url-status=live}}<br />
{{cite conference|url=https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64d42fcc2e3fdcf3d323f3d9_All_cops_are_broadcasting_TETRA_under_scrutiny.pdf|title=All cops are broadcasting: TETRA under scrutiny (paper)|author1=Carlo Meijer|author2=Wouter Bokslag|author3=Jos Wetzels|date=August 2023|conference=Usenix Security 2023|access-date=2023-08-11|archive-date=2023-08-11|archive-url=https://web.archive.org/web/20230811143013/https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64d42fcc2e3fdcf3d323f3d9_All_cops_are_broadcasting_TETRA_under_scrutiny.pdf|url-status=live}}</ref>

One of the largest proponents of security through obscurity commonly seen today is anti-malware software. What typically occurs with this [[single point of failure]], however, is an [[arms race]] of attackers finding novel ways to avoid detection and defenders coming up with increasingly contrived but secret signatures to flag on.<ref>{{cite web|url=https://kpmg.com/nl/en/home/insights/2022/05/the-cat-and-mouse-game-of-antivirus-evasion.html|title=The cat and mouse game of antivirus evasion|author=KPMG|date=May 2022|access-date=2023-08-28|archive-date=2023-08-28|archive-url=https://web.archive.org/web/20230828004504/https://kpmg.com/nl/en/home/insights/2022/05/the-cat-and-mouse-game-of-antivirus-evasion.html|url-status=live}}</ref>

The technique stands in contrast with [[security by design]] and [[open security]], although many real-world projects include elements of all strategies.