I have a client whom has a document full of javascript that they would like to encrypt. My idea is that I can create an php upload form for the unencrypted document and then it processes and gives the client back the encrypted document. Would it be possible to salt the code so that it will still work but not be able to be undone?
I have a client whom has a document full of javascript that they would like to encrypt. My idea is that I can create an php upload form for the unencrypted document and then it processes and gives the client back the encrypted document. Would it be possible to salt the code so that it will still work but not be able to be undone?
Share Improve this question edited Dec 7, 2011 at 23:44 ThinkingStiff 65.4k30 gold badges147 silver badges241 bronze badges asked Dec 7, 2011 at 23:22 Jess McKenzieJess McKenzie 8,39528 gold badges104 silver badges172 bronze badges 4- 2 Not possible. An irreversible encryption method will prevent a browser from parsing and showing your page. – Rob W Commented Dec 7, 2011 at 23:25
- 2 You should look in minifying the code if you want to obfuscate the logic. – Sam Dufel Commented Dec 7, 2011 at 23:26
- What exactly is a document? Is this like a Word or PDF file? – Ilia G Commented Dec 7, 2011 at 23:31
- As everyone has said so far, you can make it hard for people to get to your code but you cannot make it impossible. If the code can be executed, then it can be accessed, copied and modified. Think about how many billions have been spent on encryption by the movie industry, and their efforts have always been cracked and torn to pieces after a few months. It really is impossible. Even the source code for piled languages like C and Flash can be depiled by simply running it through freely available tools (the code produced is quite hard to read mind you). – Abhi Beckert Commented Dec 7, 2011 at 23:47
3 Answers
Reset to default 6No.
Essentially if your code is working it is being interpreted by the browser (and can be seen... at least partially).
You're best bet is to obfuscate your code.
On a side note, you could try what Jake said and simply redirect all *.js request to a php page (using .htaccess) which:
1. fopen's the file,
2. Reads it into a string,
3. encodes the string,
4. and then returns that.
Although that requires the client to have the key with which you encrypted the string. And once someone decrypts that js (to run it), they can steal it...
No, it's not possible: a browser can't run encrypted nonsense to which it has no decryption key. You have to give the browser valid code that it understands — either by sending it unencrypted code, or sending it encrypted code and the decryption key and code to do the decryption — and you can't prevent the user from getting access to the code that his browser is running.
You can obfuscate the code, however, to make it difficult for someone to read and understand while still being valid and runnable. There are tools that'll do things like remove all ments and rename variables to meaningless names. But with enough time and effort, someone could still figure out what the code does.
This is a pretty crazy idea, but you could require that the end user enter an encryption key within the browser, used to decrypt the code. You could then run eval() on the decrypted string to get the code loaded into memory. I don't know if requiring the end user to enter a key is viable in your case, but it so - it should work.