Jorge schreef:
Thanks Erwin, Conrad, Grant, Lasse, Evertjan. I agree 100% with all
the things you said. I'm already doing most of the things that you are
suggesting (except fiddling with the firewall setup, Grant). May be
I'm just too paranoid. TFYT.
(Although you didn't even try to help me with the original
question
Shame, I thought we tried to answer that one too.
I'll do it again in more clear words:
Whatever the piece of JavaScript is you are trying to 'remove', it won't
help. It has been sent to the client, so it is/was there: no matter how
hard you try to remove it: it has still been sent, and thus ready for
inspection, modification, etc by anyone who has the slightest idea how
http works. You CANNOT hide that.
As for your original question: Why is is visible in this version, and
not that version og firebug: only the developers can tell you why they
decided to build it that way.
So unless one of them frequents this group, you have to ask them directly.
Bottomline: It actually doesn't matter what some piece of software tells
you (firebug in this case). Even IF the firebug developers decided to
remove your piece of JavaScript from their debugger, it STILL was
transmitted over the network, received by your browser.
So it doesn't matter what firebug tells you.
Here is a story that actually happened to me:
In my early days as webdeveloper I built a website with good fun
Shockwavegames. The scores of the players had to be received by the
server because we would give the best players a real prize: a bunch of
popular boardgames.
I thought I could outsmart smart hackers. In my case it was even harder
for a hacker to break my logic because it was embedded in a shockwave
(director) movie, and not in Javascript.
And I really thought I made an ultrasmart encoding, with a few
hard-to-break nonstandard tricks in it. How arrogant of me.
After a few months of prizes I noticed 1 player sent highscores that
hold strangely round numbers (excactly 50.000 eg), so I investigated
futher, and decided to contact the guy (I had his address because I
wanted to send him the boardgames).
He straightly admitted he hacked the thing and explained to me how
(network sniffing, and some simple decoding algorithm/program named
Primus I think). He also told me it took him half an hour in total to
break my protection.
I thanked him of course, and send him the prize. (In my opinion he
deserved a double prize because he learned me why my approach sucked.)
Moral for me: Never think you can outsmart the rest of the world.
When it comes to security, simply realize that there are people out
there with 10 times your math skills, 10 times your intelligence, and
who think 100 times faster. They WILL crack your code, and surely when
you try to make it hard for them: That is actually an insentive to break
it. (No honor is easy wins)
So, keep things simple:
- Make sure the only way into your system is a valid username/password,
don't even try to hide anything clientside, there is no point in doing so.
- If you care about a man-in-the-middle attack, use https.
- Run a real OS at the server.
- Make sure you understand who has access to the server, and what they
can do. (So no shared hosting, VM is OK though.)
- And also: be sure you agree to what Conrad Lender wrote: especially
the delay from the server before ansering to really annoy anyone who
tries brute force passwordbreaking. It is a simple measure and it really
has a great impact.
Oh well, that is enough for today. I talk too much.
Good luck!
Regards,
Erwin Moller
--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare