serverside protection mechanism to prevent anyone viewing javascript source [closed]

Question

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 9 years ago.

I know you can use javascript obfosculator to make javascript source protected but I need a better solution on top of this.

Im investigating options to encrypt a javascript file to be placed on some websites. This javascript file is included like normal with :

<script src="http://secure.com/encryted.js"></script>

The idea is to somehow prevent users viewing the source of the javascript or at least make it much harder to do so...

Im thinking of a way to only return the javascript by doing something like

<script src="http://secure.com/validate.php"></script>

That way I could on the host secure.com check for certain conditions and only return the javascript ( encryped ) if those conditions are met.

Does anyone have an idea or done such a thing? Or knows of good way to prevent sourcecode of javascript to be exposed or make it very hard?

ETA seems a good way to encrypt it

http://www.enetplanet.com/enc/

My goal is to have people viewing the source /html not be able to "just view" the source Any thoughts?

Answer 1

No, TEA (http://www.enetplanet.com/enc/) is not the kind of tool you can use for such a task. It is just a little bit more than a proof-of-concept or than a toy. TEA (like any other encryption system) cannot be actually used to encrypt/protect a javascript file that you send to the customer's browser.

Consider this: the user must have a copy of the encryption program to decypher the javascript file coming from your server. In other cases, this would not be a great security hole in itself. Any encryption system rely on the secretness of a key, not on the secreteness of the encryption program/algorithm.

Unfortunately, when talking of client-side javascript, this is a security hole. The encryption program (TEA) is a javascript file itself. Anybody can read it. It is trivial to modify it in a way that it just print out the encryption key or in a way that it just decrypt the "protected" javascript file without making any check.

Moreover, the end-user has total, unlimited access to the network comunication channel. He can just read the password (the key) with a network sniffer installed on its PC. No key (and no encryption system) can resist such an attack (well-known as a "man-in-the-middle" attack).

It is well known that there isn't any real way to encrypt/protect a javascript file. The best you can do is to obfuscate it.

If you really need to protect some kind of client-side software, you have to use compiled software (C/C++), encryption and some kind of hardware key. Any other system can easily be "cracked" (as the whole history of computer games can demonstrate).