Explore our sites

Stack Exchange
tour help careers 2.0
Take the tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 2 down vote favorite
1

I am thinking about creating mini-games in JavaScript that a public social website (yourworldoftext.com) and I had a thought, I am a user of the site and would be embedding my JavaScript in a link's href that others can click on to start the game.

One way I was thinking about would be something like this

  1. Compress/obfuscate the JavaScript as much as possible
  2. Encrypt the JavaScript into a sctring and wrap everything with a small decryption JavaScript that will evaluate the decrypted string (the key to decrypt would be retrieved using AJAX from some other page on the same site)

Here is my motivation:

  1. people should all be using the same version of the game and its not trivial to cheat
  2. The source code contains hacks that might be easy for a JavaScript developer like me to write, but potentially the code could be copy pasted and misused to spam the site
  3. The informed spammer could find any number of scripts already available for free online, I just don't want it to be free from my scripts
  4. I want anyone to be able to run the app without any hidden secret to know (which would make having the script publicly available meaningless because then I'd just share the game those I trusted making the script itself the secret)

Don't misunderstand me, I know there is absolutely no way to ensure that the source code behind the JavaScript would not be available to the informed/intelligent user, I am merely polling to see if this is an exercise in futility and I shouldn't even bother with the extra encryption step, or if any believe that there is some merit to this technique.

I am inclined to believe that it might thwart the casual user, I'm just not sure how much knowledge would be required to break it, if maybe the casual social network user could break it.

Also, I suspect that firebug, developer tools, web inspector will just show the evaluated code anyway, but I'm not sure. If so then it wouldn't really do anything at all to protect it. Most users on the site use chrome (from what I hear because it works best on that browser). So would chrome show it easily in the web inspector?

share|improve this question
2  
whatever you use to decrypt the JS would be readable to anyone who understands javascript, the key would be readable to anyone who is able to use the browser's built-in dev tools. Sounds like a big performance hit and a lot of additional work for 0 added security. –  zzzzBov May 5 at 4:08
1  
Do minify and compress, has its advantages. Encrypting as you said won't do any good. –  techfoobar May 5 at 4:14
 
@zzzzBov performance isn't much of an issue since the decryption is a one time cost, but I see what you mean about the extra work involved to develop it, cost benefit ratio is very low –  codefactor May 5 at 6:22
add comment

2 Answers

up vote 3 down vote accepted

Minification and obfuscation and encryption as you've described are all minor obstacles in the way of people mucking with your code. Each minor obstacle will discourage a small number of would-be hackers. But, none of the three will discourage the determined hacker.

All one has to do to get around the encryption is set a breakpoint in the debugger and capture the code right after it's been decrypted before it's sent to eval and then copy/paste out of the debugger. So, it barely even slows down the determined hacker. In fact, minification (replacing all meaningful variable names with meaningless short names actually creates more work for the hacker in understandong your code).

Personally, I'd avoid the encryption as it doesn't really add much and it's real easy for the determined hacker to get around.

share|improve this answer
 
You have some good points, but it's important to note that my key demographic is not the determined hacker or even the knowledgeable JavaScript user; I'm more concerned with average/casual social network users and the likelihood that they would be able to get around it. –  codefactor May 5 at 6:21
 
@codefactor, you're completely missing the point. The average user would use google to find the information that the determined hacker blogged about. –  zzzzBov May 5 at 6:30
 
@codefactor - you asked for my opinion and I told you what it was. The non-knowledgeable javascript user won't get by the minification and obfuscation as the code will look like gibberish and be hard to read. Anyone who gets by that and can successfully make mods of that is already proficient and is not going to be slowed down much by the further obfuscation with the encryption. –  jfriend00 May 5 at 15:48
 
Thanks for all the comments, all good points. I will probably just skip the encryption. –  codefactor May 5 at 20:04
add comment
up vote 0 down vote

You're right, this is futile. Don't bother with this at all. Your code, although minified and obfuscated can be lifted by users with little knowledge.

share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.