-2

I have developed AES algorithm in JavaScript and Java for secure communication between browser and server. And I am using that JS file with tag, now when we right click on the page we can see view source, in that view source only location of JavaScript file is visible. I am worried that whether any such tool is available that can retrieve that JavaScript file pointed by ? If yes then my key will be exposed. Is there any work around to it?

MatthewMartin
  • 32,326
  • 33
  • 105
  • 164
Ishan Bhatt
  • 9,287
  • 6
  • 23
  • 44
  • 1
    Java is to Javascript as car is to carpet. – SLaks Jul 03 '13 at 14:35
  • If your JavaScript file is served by a simple ` – Pointy Jul 03 '13 at 14:35
  • If the browser can see and use x.js then so can anyone/anything else. HTTPS/SSL/TLS are the way to provide security and prevent interception not home-brew solutions - particularly not ones employing symmetric cryptography. – Alex K. Jul 03 '13 at 14:36

2 Answers2

2

Your Javascript code executes on the client.
Therefore, the client can read and execute that code.

Client-side cryptography is (mostly) an exercise in futility.
Your system is not secure.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
0

If I assume that your javascript src tag looks like this:

 <script src="www.mydomain.com/scripts/login.js" />

Then all I need to do is put: www.mydomain.com/scripts/login.js in my address bar and I can read your JavaScript file plain as day. You might be interested in implementing some JavaScript obfuscation though. Here is a decent post: How can I obfuscate (protect) JavaScript? you can also Google 'JavaScript Obfuscation' for a multitude of information.

This is obviously security through obscurity which isn't really security at all but I suppose it is better then nothing in your case.

Community
  • 1
  • 1
dparsons
  • 2,812
  • 5
  • 28
  • 44
  • Thanks for the obfuscation suggestion. My src tag looks like , Still it can be accessible?? – Ishan Bhatt Jul 03 '13 at 19:21
  • Yes. Any file that your web page has access to your user implicitly has access to. The name of the JavaScript file does not matter. I would only need to type: www.yourdomain.com/sbijava/js/sha512.js in the browser and I can read the JS file plain as day. – dparsons Jul 03 '13 at 19:47