Obfuscation

Re: Obfuscation

> I am now seeking tools on javascript obfuscation. I have searched for[color=blue]
> several like stunnix, . But the interface is not really neat and sounds
> complicated. Is there any open source project doing this ? I need to encrypt
> several js and jsp files using javascript. If not an open source, which
> other obfuscator you will recommend ?[/color]

I recommend that you not waste your time with obfuscation.
Here is a free minimizer: http://www.crockford.com/javascript/jsmin.html

Re: Obfuscation

"centaur" <perseus_medusa @hotmail.com> writes:
[color=blue]
> I am now seeking tools on javascript obfuscation.[/color]
....[color=blue]
> I need to encrypt several js and jsp files using javascript.[/color]

(If I'm not mistaken, jsp stands for Java Server Pages, and is a
server side thing. No reason to obfuscate them at all.)

*Why* do you think you need to obfuscate (which is *not* encryption)
Javascript?

You are talking about security - secrecy in particular. Before taking
any security measure, one should construct a threat model:
What are you trying to prevent?
Who are you trying to prevent from it?
What are their capabilities?
What will it cost you if the security fails?

When you have determined yor security needs, you can evaluate a given
security measure (e.g., obfuscating Javascript) to see how it helps
you counter the threats, *and* whether it is worth it.
[color=blue]
> If not an open source, which other obfuscator you will recommend ?[/color]

None. The way web pages work is such that anything worth protecting
should not be published. If anybody can have any significant gain from
getting access to your code, then they *can* get access cheap enough
to make it worth it. Adding obfuscation won't cost them enough to stop
them, unless the gain is so insignificant that you shouldn't care
either.


In security, it is widely accepted that security through obscurity is
false security. In other settings, obscurity can *add* an extra layer
of defense on an otherwise secured attack path, and a delay there
might help you respond before the protection is breached in depth.

For a web page that is downloaded and manipulated off-line, extra
delay means fairly little. Also, since the browser must be able to
read the scripts without interaction, there is no way to implement
security in depth, so the obfuscation becomes the only security
measure. It is simply not the right tool for that. Sadly, that means
that there isn't any.

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'

Re: Obfuscation

Thanks for your reply.

Actually, I am using some javascript "technique" and my product is selling
to some technology company. They could easily figure out how I do this and
we would lose our competitiveness . I know they could still figure out what
we use if they study closely because they are able to download it. But I
just want to make it difficult. I saw script in gmail is turned into code
like function skdh() {...}, so it's not readable and it make reverse
engineer difficult. I just want to seek tools like this.

Thanks.

Perseus


"Lasse Reichstein Nielsen" <lrn@hotpop.com > wrote in message
news:ekb8fo6r.f sf@hotpop.com.. .[color=blue]
> "centaur" <perseus_medusa @hotmail.com> writes:
>[color=green]
>> I am now seeking tools on javascript obfuscation.[/color]
> ...[color=green]
>> I need to encrypt several js and jsp files using javascript.[/color]
>
> (If I'm not mistaken, jsp stands for Java Server Pages, and is a
> server side thing. No reason to obfuscate them at all.)
>
> *Why* do you think you need to obfuscate (which is *not* encryption)
> Javascript?
>
> You are talking about security - secrecy in particular. Before taking
> any security measure, one should construct a threat model:
> What are you trying to prevent?
> Who are you trying to prevent from it?
> What are their capabilities?
> What will it cost you if the security fails?
>
> When you have determined yor security needs, you can evaluate a given
> security measure (e.g., obfuscating Javascript) to see how it helps
> you counter the threats, *and* whether it is worth it.
>[color=green]
>> If not an open source, which other obfuscator you will recommend ?[/color]
>
> None. The way web pages work is such that anything worth protecting
> should not be published. If anybody can have any significant gain from
> getting access to your code, then they *can* get access cheap enough
> to make it worth it. Adding obfuscation won't cost them enough to stop
> them, unless the gain is so insignificant that you shouldn't care
> either.
>
>
> In security, it is widely accepted that security through obscurity is
> false security. In other settings, obscurity can *add* an extra layer
> of defense on an otherwise secured attack path, and a delay there
> might help you respond before the protection is breached in depth.
>
> For a web page that is downloaded and manipulated off-line, extra
> delay means fairly little. Also, since the browser must be able to
> read the scripts without interaction, there is no way to implement
> security in depth, so the obfuscation becomes the only security
> measure. It is simply not the right tool for that. Sadly, that means
> that there isn't any.
>
> /L
> --
> Lasse Reichstein Nielsen - lrn@hotpop.com
> DHTML Death Colors:
> <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
> 'Faith without judgement merely degrades the spirit divine.'[/color]

Re: Obfuscation

centaur said:[color=blue]
>
>Thanks for your reply.
>
>Actually, I am using some javascript "technique" and my product is selling
>to some technology company. They could easily figure out how I do this and
>we would lose our competitiveness .[/color]

If they're a technology company, they probably already know
how to do it, but management decided to buy vs make to avoid
the support burden.

If you're really such a good developer that you've invented
an algorithm that's worth hiding, you should be able to write
your own obfuscator in less time than you've spent asking for
one. Beware though, that some people who wouldn't otherwise
be interested in your code may take obfuscated code as a
personal challenge.

If you're serious about hiding your code, run it on the server.

Re: Obfuscation

centaur wrote:
[...][color=blue]
> Actually, I am using some javascript "technique" and my product is selling
> to some technology company. They could easily figure out how I do this and
> we would lose our competitiveness . I know they could still figure out what
> we use if they study closely because they are able to download it. But I
> just want to make it difficult. I saw script in gmail is turned into code
> like function skdh() {...}, so it's not readable and it make reverse
> engineer difficult. I just want to seek tools like this.[/color]

While this will make it more difficult, it will only make it a little bit
more difficult, and the benefit will be so small that it's probably not
worth the effort --- the amount you'd spend trying to obfuscate your code
will be vastly more than the amount you'd gain. I'd recommend you don't
even try.

What is worth doing is minimising your code; run it through a cruncher that
will make it as small as possible. This will make it much faster to
download (and will also make it fairly difficult to read).

--
+- David Given --McQ-+ "Turning, pages turning in the widening bath,
| dg@cowlark.com | The spine cannot bear the humidity.
| (dg@tao-group.com) | Books fall apart; the binding cannot hold.
+- www.cowlark.com --+ Page 129 is loosed upon the world." --- Zarf