ThePsion5 Posted August 11, 2006 Share Posted August 11, 2006 I was thinking about the problem of using client-side Javascript Encryption without the website use being able to see and potentially decode how it works, and I have an interesting idea on how to make it much more difficult (though not impossible, sadly) to find and view said code, and should deter all but the most dedicated of code-stealers, lol.Why not use a referrer+time based seed with any of the common PHP encryption functions to keep any unauthorized sources from viewing your javascript code? It could be implemented like so:Use this in the head section of your html/php pages to include any needed java script: <?PHP$minute = floor(time()/3600);$seed = md5($_SERVER['PHP_SELF'] . $minute);print '<script type="text/javascript" src="js/protected.js?seed=' . $seed . '">';?> Then, in the protected.js file, you would include a page with code like this code like this: <?PHPfunction isValidReferrer($seed){ $ValidSeeds = array(); $Page = $_SERVER['HTTP_REFERER']; //The refering page $Minutes[] = floor(time()/3600); //This minute $Minutes[] = $Minutes[0]-1; //The previous minute $ValidSeeds[] = md5($Page . $Minutes[0]); $ValidSeeds[] = md5($Page . $Minutes[1]); return in_array($seed, $ValidSeeds);}if(isValidReferrer($_GET['seed']){ //print the scripts}else{ //say something mean and threatening to them :D}?> Granted, it'd be some extra overhead for a server with high-traffic, but if you really want to keep your javascript secure then it might be a good idea. You could further spice it up by adding your own seed, cookie information, and the like. Any input? It seems like an interesting idea if you don't mind the extra server overhead. Link to comment Share on other sites More sharing options...
aspnetguy Posted August 11, 2006 Share Posted August 11, 2006 Sounds interesting and like it would be difficult to crack.Just a couple questions.1. How do you include PHP code in a .js file?2. When you call isValidReferer you send 2 parameters but in the function definition it only takes 1 paramameter...is this a typo? Link to comment Share on other sites More sharing options...
ThePsion5 Posted August 11, 2006 Author Share Posted August 11, 2006 1. You can use server settings to parse a file with any type of extension - adding .js to the list of extensions to look for PHP tags in is as simple as adding a few characters (for apache at least, I know you can do the same on other servers as well)2. Whoops. Corrected now. Link to comment Share on other sites More sharing options...
aspnetguy Posted August 11, 2006 Share Posted August 11, 2006 Sounds interesting do you have a working sample of it? I would be interested in trying to crack it. Link to comment Share on other sites More sharing options...
ThePsion5 Posted August 11, 2006 Author Share Posted August 11, 2006 Sadly, the only server I have that runs PHP at the moment is my laptop. I think I can give you some extimates on the time it would take, however:Assuming the attacker knew nothing about the seed, it would be nigh-impossible to crack without brute-forcing every MD5 combination (16^36 attempts on average). If they faked the HTTP_REFERER then they would still need to figure out that it was being used with a seed. Assuming they did that and made the following assumptions and could run all their attacks within one minute:1. The seed is an integer less than 3600: (24*60)/2 = 720 average2. The seed is an integer less than 10 digits: ((10^10)-721)/2 = 4,999,999,639 average3. The seed is any string less than 10 digits: ((129^10)-721)/2 = 638,068,209,558,560,809,240 average (Muahahaha! )If they try to brute force the MD5 function, it would take (129^32) = Some large number I can't translate, lolIf they can't run all of their attacks in a minute, then divide those numbers by the percentage of the attack they can complete in one minute...so if the attacker could only run 10% of the attacks, multiply the average attempts by 10. Basically, it becomes less and less likely the longer they take. Link to comment Share on other sites More sharing options...
aspnetguy Posted August 11, 2006 Share Posted August 11, 2006 nevermind, I am not that motivated Link to comment Share on other sites More sharing options...
ThePsion5 Posted August 11, 2006 Author Share Posted August 11, 2006 Hehe, I was barely motivated to come up with those statistics, lol... Link to comment Share on other sites More sharing options...
justsomeguy Posted August 11, 2006 Share Posted August 11, 2006 I would be interested if you can get this working online. I bet I could crack it and get the javascript code. Link to comment Share on other sites More sharing options...
benjy355 Posted August 11, 2006 Share Posted August 11, 2006 Oh it's possible to crack absolutely everything. Some things would just take long enough to a point where no single person could solve it in the time they would be alive. (Or they would fry their brain ) Link to comment Share on other sites More sharing options...
Little Goat Posted August 12, 2006 Share Posted August 12, 2006 yea. all you would need to do is type java script:document.write(getElementsByTagName('html').innerhtml) in the address bar and view generated source in Opera or FF. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now