At what point does something count as ‘security through obscurity’?
So, I keep finding the conventional wisdom that 'security through obscurity is no security at all', but I'm having the (perhaps stupid) problem of being unable to tell exactly when something is 'good security' and when something is just 'obscure'.
I checked other questions relating tangentially to this, and was unable to figure out the precise difference.
For example: Someone said using SSH on a nonstandard port counts as security through obscurity. You're just counting on the other person to not check for that. However, all SSH is doing is obscuring information. It relies on the hope that an attacker won't think to guess the correct cryptographic key.
Now, I know the first circumstance (that someone would think to check nonstandard ports for a particular service) is far more likely than the second (that someone would randomly guess a cryptographic key), but is likelihood really the entire difference?
And, if so, how am I (an infosec n00b, if that isn't already abundantly clear) supposed to be able to tell the good (i.e. what's worth implementing) from the bad (what isn't)?
Obviously, encryption schemes which have been proven to be vulnerable shouldn't be used, so sometimes it's more clear than others, but what I'm struggling with is how I know where the conventional wisdom does and doesn't apply.
Because, at first blush, it's perfectly clear, but when I actually try to extrapolate a hard-and-fast, consistently applicable algorithm for vetting ideas, I run into problems.
