Generally, when a security system is broken, it’s not because of the “core” algorithm (RSA/AES etc) being broken, it’s because of other flaws in the system. If you’re keeping the system secret, you’re making things a bit harder for the bad guys (who have to play some guessing game, or get hold of a copy of your program and reverse-engineer it), but you’re also stopping it from getting the examination it needs from good-guy experts (who have better things to do with their lives than try to understand your disassembled source code).
But the key aspects of the code have been reviewed—it’s just that it’s no longer in a format that can algorithmically be passed to a breaker, and requires intelligent thought to get it to that stage, which would seem to put a bottleneck on attacks.
It’s been reviewed by you. Unless you’re a three-letter agency, that’s extremely unlikely to be thorough enough to say with any confidence that it’s secure.
Hm, actually, it depends on what you’re trying to be secure against. If, say, you’re running a website with a standard installation of something, it can be worth changing it a little bit so that automated scanning tools won’t be able to exploit flaws in it.. There won’t be huge benefit against people deliberately targetting you, though.
Generally, when a security system is broken, it’s not because of the “core” algorithm (RSA/AES etc) being broken, it’s because of other flaws in the system. If you’re keeping the system secret, you’re making things a bit harder for the bad guys (who have to play some guessing game, or get hold of a copy of your program and reverse-engineer it), but you’re also stopping it from getting the examination it needs from good-guy experts (who have better things to do with their lives than try to understand your disassembled source code).
But the key aspects of the code have been reviewed—it’s just that it’s no longer in a format that can algorithmically be passed to a breaker, and requires intelligent thought to get it to that stage, which would seem to put a bottleneck on attacks.
It’s been reviewed by you. Unless you’re a three-letter agency, that’s extremely unlikely to be thorough enough to say with any confidence that it’s secure.
Hm, actually, it depends on what you’re trying to be secure against. If, say, you’re running a website with a standard installation of something, it can be worth changing it a little bit so that automated scanning tools won’t be able to exploit flaws in it.. There won’t be huge benefit against people deliberately targetting you, though.