Obscurity is not a replacement for real security, but as a layered defense it raises attacker cost and reduces attack surface in practice.
Key Takeaways
Kerckhoffs’s Principle bans only obscurity as a foundation; adding obscurity on top of real security is a valid defense-in-depth layer.
WordPress custom table prefixes (e.g. wp_8df7b8_users) blocked automated SQL injection bots exploiting a real plugin CVE, even though the site was technically vulnerable.
Valve stripping debug symbols from CS:GO .dylib binaries measurably slowed cheat development; an accidental unstripped macOS release confirmed the value by immediately accelerating cheat creation.
Google reCAPTCHA, Netflix browser DRM, and Riot Vanguard all use heavy JS obfuscation to raise the cost of automated bypass, not to achieve security alone.
A hard CTF challenge required 4.5 hours of Claude Opus, 72M tokens, and ~$300 to crack, illustrating that token cost is a real attacker constraint even with AI.
Hacker News Comment Review
Broad commenter consensus: obscurity is concealment, not cover. It does not stop a determined attacker but forces them to spend more time finding the target, which matters against automated mass scanning.
Key technical pushback: the article misattributes Kerckhoffs’s Principle. Commenters noted it is specifically a cryptographic design rule (assume adversary knows everything except the key), not a general security axiom.
Practical risk raised repeatedly: obscurity layers create false confidence. Teams start treating concealment as real security, leading to under-investment in actual hardening and alert fatigue reduction becoming the primary justification.
Notable Comments
@tptacek: Frames security as risk and cost, not binary good/bad. Obscurity shifts adversary costs; whether that shift is material depends entirely on the specific threat model.
@catoc: Sharp framing: “Security through obscurity” implies obscurity achieves security, which is bad. “Security including obscurity” is fine.
