FAQ Topic - How can I protect a webpage in javascript?

[FAQ server]

-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.


===
Postings such as this are automatically sent once a day. Their
goal is to answer repeated questions, and to offer the content to
the community for continuous evaluation/improvement. The complete
comp.lang.javascript FAQ is at http://jibbering.com/faq/index.html.
The FAQ workers are a group of volunteers.

 

[Dr J R Stockton]

In comp.lang.javascript message <[email protected].

-----------------------------------------------------------------------
FAQ Topic - How can I protect a webpage in javascript?
-----------------------------------------------------------------------

In practice you can't. While you could create a suitable
encryption system with a password in the page, the level of
support you need to do this means it's always simpler to do it
server-side. Anything that "protects" a page other
than the current one is definitely flawed.

Since some authors do not have access to server-side coding. it's not
completely helpful to put "it's always simpler to do it server-side".


The Topic is ambiguous. I think the intention may be
"How can I prevent access to a web page by using javascript?"

 

[Randy Webb]

Dr J R Stockton said the following on 2/11/2007 4:59 PM:

In comp.lang.javascript message <[email protected].


Since some authors do not have access to server-side coding. it's not
completely helpful to put "it's always simpler to do it server-side".

It's still more helpful than giving them a bogus answer and anything
security related in javascript is bogus.

The Topic is ambiguous. I think the intention may be
"How can I prevent access to a web page by using javascript?"

Agreed and changed to your proposed wording.

 

[Dr J R Stockton]

Dr J R Stockton said the following on 2/11/2007 4:59 PM:

It's still more helpful than giving them a bogus answer and anything
security related in javascript is bogus.

Just omit "always", and all will be well.

Agreed and changed to your proposed wording.

One can, however, protect against unauthorised viewing of the "real"
content.

<div ID=X hidden>scrambled material</div>
<div ID=Y>innocuous material</div>
<pseudojavascript>
something.onClick = function() {
Y.innerText = unscramble(X.innerText, GetKey) }
</pseudojavascript>

If Key is of a "one-time-pad" nature, used by XOR, that will be totally
secure. Then, to hide, from a casual glance at the initial page, the
existence of the secret material, start the decoding by an onClick of an
element that does not look like a control.

 

[Randy Webb]

Dr J R Stockton said the following on 2/12/2007 9:44 AM:

Just omit "always", and all will be well.

It is "all well" now for everyone but you. It is *always* simpler to do
it on the server. Well, except for people who choose not to employ
server side technologies and they have to suffer with the consequences
of thinking anything in client side Javascript is secure.

One can, however, protect against unauthorised viewing of the "real"
content.

<div ID=X hidden>scrambled material</div>
<div ID=Y>innocuous material</div>
<pseudojavascript>
something.onClick = function() {
Y.innerText = unscramble(X.innerText, GetKey) }
</pseudojavascript>

If Key is of a "one-time-pad" nature, used by XOR, that will be totally
secure. Then, to hide, from a casual glance at the initial page, the
existence of the secret material, start the decoding by an onClick of an
element that does not look like a control.

Do you have a demo of this concept? It wouldn't take 5 minutes to
decipher it. And, if all it takes is a "click" on an element that does
not look like a control then simply looking at the source can tell you
what to click on to see it. Trivial to bust.

 

[Dr J R Stockton]

Dr J R Stockton said the following on 2/12/2007 9:44 AM:

It is "all well" now for everyone but you. It is *always* simpler to do
it on the server. Well, except for people who choose not to employ
server side technologies
Agreed.

and they have to suffer with the consequences of thinking anything in
client side Javascript is secure.

Non sequitur.

Do you have a demo of this concept? It wouldn't take 5 minutes to
decipher it.

If a full one-time-pad approach is used, which means that the "password"
must be as long is the encoded text, *nothing* can break the encoding
(not counting intercepting the password; but that does not need to be
transmitted over the Net.

And, if all it takes is a "click" on an element that does not look
like a control then simply looking at the source can tell you what to
click on to see it. Trivial to bust.

Certainly. I wrote "casual glance" for a reason. Of course, one can
also put a "decode" button that will amuse the simple-minded, giving
innocuous output. Remember "The Purloined Letter"? Have you yet
noticed any quasi-hidden links on my site?

 

[Randy Webb]

Dr J R Stockton said the following on 2/13/2007 7:59 AM:

Have you yet noticed any quasi-hidden links on my site?

I think I looked at your site last in 1999 or 2000 (or somewhere there
abouts). Nothing there was interesting/important to me then and I doubt
it is now. So, to answer you question, no, as I don't care to look at
your site.

 

[Dr J R Stockton]

Dr J R Stockton said the following on 2/13/2007 7:59 AM:



I think I looked at your site last in 1999 or 2000 (or somewhere there
abouts). Nothing there was interesting/important to me then and I doubt
it is now. So, to answer you question, no, as I don't care to look at
your site.

As I rather suspected. No doubt Santayana would have been able to make
a suitable remark.

 

[Randy Webb]

Dr J R Stockton said the following on 2/15/2007 6:19 PM:

As I rather suspected.

I am happy to have not disappointed you(not that it really matters a
whole lot to me *what* you think of me). But, after reading almost 10
years of your biased ignorant garbage I have no need - nor desire - to
read any more of it on a web site. Perhaps you should do some research
on Aircraft Carrier's and apply some common sense every now and then. It
might make your site worth reading.