1

So, normally, obfuscators will minify the code and perhaps make things more obscure. As is already well established on the internet, you cannot prevent viewable source code (i.e. JavaScript in the browser), or even any code executed on a client computer at all, from being hacked. Not only that, but there are deobfuscators and code inferencers (e.g. JSNice) out there that make viewing and understanding the source code extraordinarily easy.

What if your goal, however, would just be to make it extremely difficult to tamper with the code, or perhaps even to steal the code and put it on another website? The goal would be to deter people enough that they would rather rewrite the code from scratch than steal or tamper with your existing work.

What methods might one employ to accomplish this effectively? (I'm also interested in any well-defined concepts in this area.) Rules are:

  1. Can't significantly bog down the client-side code, to the point that it's laggy on slower computers.
  2. Utilizing server code in any way is allowed, e.g. sending different arrangements of the code to the client, sending hash strings, etc. (This does not include replacing the client altogether, of course; there will be live user interaction and such.)
  3. Regular load times of a few seconds or less is acceptable.
  4. Browser JavaScript is the preferred answer language/environment, but other ideas such as hosting JavaScript in a client application or using a standard client are also welcome.
Andrew
  • 5,839
  • 1
  • 51
  • 72
  • You can't do this effectively with JavaScript. Since it runs on the user's computer, it doesn't matter where it was downloaded from, so obfuscated code can easily be copied to another website. – Barmar Oct 15 '19 at 18:20
  • 1
    Anyway, the word you're looking for is "copy-protection". – Barmar Oct 15 '19 at 18:21
  • @Barmar I beg to differ. It can easily be copied, that doesn't mean it can easily be copied and still execute/display properly on another website. Yes, copy-protection and also tamper-prevention as well. Both are of interest. – Andrew Oct 15 '19 at 18:25
  • Possible duplicate of: https://stackoverflow.com/questions/1660060/how-to-prevent-your-javascript-code-from-being-stolen-copied-and-viewed – Barmar Oct 15 '19 at 18:27
  • Kkkkkkkiiiiiind of; I asked mine in a different light. The idea being: is there some way to prevent code from executing properly unless it's from *your* website/server with *your* version of the code? – Andrew Oct 15 '19 at 18:33
  • 1
    There are answers that address this. – Barmar Oct 15 '19 at 18:35
  • @Barmar Just this one: https://stackoverflow.com/a/16367309/1599699 But it is a really good one, thanks! – Andrew Oct 15 '19 at 18:46
  • 1
    view the source of gmail or google home page or google news, and tell me if you think you can use their JS on any other site. You can also take advantage of implicit globals from ID-having elements to hard-code those IDs (plus for random names) into you site and code, so that when the script is removed, they have no idea what those globals are supposed to be. If you can generate var names on the fly, you can serve match sets of js/html, preferably in many files, so that user must carefully save each one w/o re-requesting – dandavis Oct 15 '19 at 18:47
  • @dandavis It has always kinda baffled me why Google's homepage code is so complex. (I found this: https://stackoverflow.com/q/22877454/1599699) But that would be one way, I suppose: just have so darn much code somehow (kinda like the equivalent of a Tautological OR (`A` == `A OR !A`) but with code), that it's not worth it to try an decipher it all due to time. – Andrew Oct 15 '19 at 19:05
  • @dandavis I don't 100% understand what you mean about the implicit globals in elements with ID's. Is the idea basically to just separate globals and literals out of the JS and put them in HTML elements instead, which the JS then reads? If so that's pretty novel! – Andrew Oct 15 '19 at 19:07
  • 1
    I was talking about ``, which can be changed by JS as just `banner.innerHTML='Goodbye';`. Then change "banner" to "zusdfd" (or whatever gibberish) in both places. Makes it very confusing as to how the script interacts with the page... – dandavis Oct 15 '19 at 21:05
  • @dandavis In many cases that might just be better done by having the JS dynamically construct the HTML. But I did like that thought in terms of mixing HTML and JS and using obfuscated ID decryption to retrieve the right HTML elements and their values etc., as that would cause problems for any JS-only deobfuscation and require a more manual approach to handle the HTML side. Anyways thanks for your thoughts. – Andrew Oct 15 '19 at 21:35

0 Answers0