E
Enzo
Hi Ng,
It's possible to protect the source code of
a js file? With PHP?
Thanks in advance!
Enzo
It's possible to protect the source code of
a js file? With PHP?
Thanks in advance!
Enzo
Hi Ng,
It's possible to protect the source code of
a js file? With PHP?
No, there is nothing which you can do to stop even moderately intelligent
users from seeing your js source code. Microsoft have an option to
'encrypt' js files but (a) this means your js will only ever run on IE, and
(b) 2 minutes with Google will find you a utility to unencrypt the js.
You can try using a javascript obfuscator to remove comments and whitespace
and replace meaningful variable names with shorter meaningless ones, but
the main benefit of this is that it reduces download times, and it does
make it more painful if you ever have to debug anything.
Ira said:We make such obfuscators.
Yes, they remove comments/whitespace,
and make the names meaningless.
Yes, this does benefit download time,
but it really does, in our opinion, make code
of any serious size very difficult to understand,
which is where you get your protection.
They have NO impact on development debugging.
You keep your source in cleartext, so you code and
debug it exactly as you have. You obfuscate the code
just before you go live with it in production,
keeping your cleartext for further development.
If you get an error report from the field, generated
obfuscation maps let you easily convert scrambled names
back to the real ones. (You customers of course don't get
these generated maps, only you do).
and make the names meaningless. Yes, this does benefit
download time, but it really does, in our opinion, make code
of any serious size very difficult to understand, which is where
you get your protection.
They have NO impact on development debugging.
You keep your source in cleartext, so you code and
debug it exactly as you have. You obfuscate the code
just before you go live with it in production, keeping
your cleartext for further development.
If you get an error report from the field, generated obfuscation maps
let you easily convert scrambled names back to the real ones.
(You customers of course don't get these generated maps,
only you do).
Douglas said:There is a standing challenge in this group to people making claims
about obfuscation and code hiding to prove their claims by giving us a
test case.
In previous trials, code was recovered and posted in the clear within
minutes.
Obfuscation is a waste of time. It does not work. It will not protect
secrets. It will increase development costs.
The goals of the obfuscation need to be made clear.
No amount of obfuscation will stop knowledgeable javascript coders from
gaining full readable access to your code. But, I don't think that's the
goal in most cases.
If the goal is to stop most web users - and probably most average javascript
coders - from duplicating your code and/or methods, then obfuscation
probably works just fine. Most people probably lack the knowledge or skill
to get anything useful from the obfuscated code. It should be made clear
that you will never protect your code from 100% of users. But if protecting
it from 80% (or whatever percent, I know you'll complain about random stats,
Richard) is acceptable and you think it is beneficial, then obfuscation
might achieve your goal.
Now, whether it's worth anyone's time to protected against a subset of all
internet users - that depends on the situation.
No amount of obfuscation will stop knowledgeable javascript
coders from gaining full readable access to your code. But,
I don't think that's the goal in most cases.
If the goal is to stop most web users - and probably most
average javascript coders - from duplicating your code and/or
methods, then obfuscation probably works just fine.
Most people probably lack the knowledge or skill
to get anything useful from the obfuscated code.
It should be made clear that you will never protect
your code from 100% of users. But if protecting it from
80% (or whatever percent, I know you'll complain about
random stats, Richard)
is acceptable and you think it is beneficial,
then obfuscation might achieve your goal.
Now, whether it's worth anyone's time to protected against
a subset of all internet users - that depends on the situation.
Richard Cornford said:So you keep saying.
But the removal of white space is not a contribution to obfuscation
because it is always possible to get a code formatter to put it back.
It has been demonstrated many times that the compression facilities of
HTTP 1.1 will have an approximately equivalent effect in reducing
download time, and carry that effect on to HTML source.
But if the point of processing source code in a way that modified
identifier names is going to be to reduce the size of the resulting code
it would be better to use an obfuscator that transformed the names to
the shortest valid identifiers available in the pertinent scope.
Your opinion seems to be colored by a vested interest.
You are yet to
get a single regular contributor to this group to agree with it.
You absolutely do not obfuscate code just before you go live with it. If
you are going to obfuscate code you need to do so _before_ QA, and then
QA again each time your re-obfuscate the original source.
Of course it is possible that semdesigns.com don't do QA so you don't
realise the need for this.
The premise that identifier names need to be meaningful for code to be
understood is utterly wrong.
Douglas Crockford said:[Baxter wrote]
We make such obfuscators. Yes, they remove comments/whitespace,
and make the names meaningless. Yes, this does benefit
download time, but it really does, in our opinion, make code
of any serious size very difficult to understand, which is where
you get your protection.
They have NO impact on development debugging.
You keep your source in cleartext, so you code and
debug it exactly as you have. You obfuscate the code
just before you go live with it in production, keeping
your cleartext for further development.
If you get an error report from the field, generated obfuscation maps
let you easily convert scrambled names back to the real ones.
(You customers of course don't get these generated maps,
only you do).
There is a standing challenge in this group to people making claims
about obfuscation and code hiding to prove their claims by giving us a
test case.
In previous trials, code was recovered and posted in the clear within
minutes.
Obfuscation is a waste of time. It does not work. It will not protect
secrets.
It will increase development costs.
JSMin, which is free and open, can remove comments and whitespace. That,
followed by compression, can significantly reduce download times.
It is also as effective as obfuscation in keeping competent programmers from
seeing the source. That is why JSMin makes no such claims.
I don't recall seeing such trials. You may have had them.
We haven't participated in such.
Hywel said:(e-mail address removed) says...
In PHP:
unlink("filename.js");
Ira said:Richard Cornford wrote:
Sure. I repeat, once again that obfuscation (and any kind of
"protection") offers NO GUARANTEES. Obfuscation simply
provides a level of defense that requires effort on the part of
a thief.
Once the economics from the theif's point of view
are poor, you've won.
Reformatting isn't particularly hard, granted.
Nontheless, the results still look scary (even if they
aren't in a technical sense), and that chases off some
of the potential thieves. No, don't repeat your argument
about chasing off only dumb theives, we've all heard it.
Chasing off dumb theives is still valuable, and this isn't
the only defense.
I doubt if my customers want to spend a lot of
time in this kind of discussion.
There have been several other defenders of
the utility of obfuscation involved in these
threads (Matt Kruse in this one).
I don't know if he is a "regular contributor",
and I don't see why "regular
contributor" should carry specific weight.
We all have our opinions.
Reasoned dicussions seem fine.
Yes, the way I stated could be interpreted as
"obuscate-then-ship-in-2-nanoseconds".
I meant it in "do your development, then finish up your
usual way (including test if you have any sense), and
then ship."
If you didn't have your own point of view to push,
I think you reasonably might have interpreted this
a bit more loosely.
We're not trying to prove theorems here.
Yes, it is *possible*. It is *possible* you are an axe
murderer. Then again, perhaps we actually do QA, and you
are not. Ad hominem attacks don't contribute to this
discussion.
For small codes, sure. For larger codes... almost everybody
on the planet agrees that maintaining somebody else's code
is difficult; see any software engineering textbook.
The usual recommendation is that an engineer(!) design carefully,
code carefully, choose meaningful names, and document it all.
The usual practice seems much worse, and almost all
maintenance is based on reading the existing code and
praying the last guy at least used sensible names.
If he hasn't done that, then
working out what the code
does tends to be much harder.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.