<- snip ->
The problem with security through obscurity is that is doesn't actually
make you more secure, it makes you "feel" more secure.
<- snip ->
I just want to mention, not that you meant it this way, but the proper statement should be "security through obscurity alone" is not good. Security through obscurity as part of a blended or "depth" approach is typically just fine and is used the world over (even passwords and encryption keyed on an unknown passphrase...).
Then again, we would also have to define what one means by secure. Too often people take the very bad extreme that a "secure measure" is something that ensures ultimate security, and then use that definition whenever it suits them, and twist it when it doesn't. These same peopel tend to say "there's no silver bullet to security" or "security is not a state but a process" which flies in the face of incremental measures like SSID cloaking.
SSID cloaking will not make you ultimately secure and it won't stop a lot of attackers. But it can stop some of the lame ones and drive-bys. Yes, other measures can be taken to add more security and stop more and more theats of higher levels of technical skill.
But that really wasn't my point. I just want to make sure that we are aware that SSIDs are not necessarily a useless feature that add zero value. They do add some value. It just changes from zero to x based on how you define security and what threats you are attempting to thwart.
The problem with security through obscurity is that is doesn't actually
make you more secure, it makes you "feel" more secure.
<- snip ->
I just want to mention, not that you meant it this way, but the proper statement should be "security through obscurity alone" is not good. Security through obscurity as part of a blended or "depth" approach is typically just fine and is used the world over (even passwords and encryption keyed on an unknown passphrase...).
Then again, we would also have to define what one means by secure. Too often people take the very bad extreme that a "secure measure" is something that ensures ultimate security, and then use that definition whenever it suits them, and twist it when it doesn't. These same peopel tend to say "there's no silver bullet to security" or "security is not a state but a process" which flies in the face of incremental measures like SSID cloaking.
SSID cloaking will not make you ultimately secure and it won't stop a lot of attackers. But it can stop some of the lame ones and drive-bys. Yes, other measures can be taken to add more security and stop more and more theats of higher levels of technical skill.
But that really wasn't my point. I just want to make sure that we are aware that SSIDs are not necessarily a useless feature that add zero value. They do add some value. It just changes from zero to x based on how you define security and what threats you are attempting to thwart.
[ reply ]