tags:

views:

278

answers:

7
+1  Q: 

Is obfuscation the best answer

Possible Duplicates:
How effective is obfuscation?
Protect ASP.NET Source code
(Why) should I use obfuscation?

Is obfuscation the best answer for protecting our code ?

*Specially in Web Projects when you want to deliver your web projects as libraries of code to your customer ( the person who ordered ) *

Edited

At first my priority is Server-Side Code and second Client-Side but the main goal is when you want to deliver a complete web project and you made every piece of your code as components and dlls now how effective can you protect them and doesn't allow others to make your code back from them .

Edited

The problem is that I want to protect the code that I'm written to a company that they ordered , now all my code are inside some DLLs , Now they can reverse engineer that and get my code , I want to prevent them from doing so , Is there anyway to do so or not ?

I think that is a unique question , And I didn't ask for what obfuscation is nor for tools of doing this activity , further than that I think this is apart from Client-Server Security

Sorry if my question wasn't clear at first , but if that is really a case to be deleted , no problem for me

Also

Also I wanted to have a comparison look at this problem and the solutions , because I think obfuscation wasn't the only possible solution at this , I think we can have maybe some logical sort of workarounds about this problem

A: 

The normal server-side code in Web projects should under no circumstances be visible to the outside world. So there is no point in obfuscating the code.

Besides that two minior points:

  • Javascript code is visible to the user and can be obfuscated. Minimizing javascript to save bandwidth is recommended anyway. Minimizing js also obfuscates the code.

  • Also important is that on production system the configuration setting customErrors should be set to RemoteOnly or On to avoid showing a stacktrace with to much code details.

dmeister  2009-07-18 06:28:03
thanks , I knew these items , sorry my question wasn't clear at first
Sypress  2009-07-18 07:41:03
+1  A: 

Hosting a critical function as a web service is probably the most sure way to protect it. It keeps the code out of the user's hands entirely. But then you're stuck hosting a service, and your users have to be on line to use your functionality.

Obfuscators help by hiding useful names and replacing control flow with weird but logically equivalent alternatives. They might thwart an amateur, but they'll only slow down a skilled reverse engineer for a few minutes, and they won't stop someone who is determined to penetrate your secrets.

John Deters  2009-07-18 06:28:58
That is a good idea , and I'll use it as possible as I can in my further projects , but now the objective is a bit different
Sypress  2009-07-18 07:40:02
+1  A: 

What exactly are you trying to protect your code from?

Does your client-side code contain valuable business logic?

If not: you shouldn't bother obfuscating something that doesn't have much value. Personally I think clientside code theft is a something that people are far too concerned about. 99% of web apps don't really have anything special in terms of implementation on the client side. What you need to worry about more is someone ripping off the idea or visual look, which you obviously can't obfuscate.

If it does: you need to consider refactoring that logic out of the client side, as even with heavy obfuscation, a determined party will always be able to untangle it relatively easily. The code that adds real value to your app should ideally be running on your servers where it's considerably more difficult to get access to.

Even if people stealing your html markup or javascript was a something to worry about (and it probably isn't), obfuscation doesn't really solve the problem. In my opinion it is a waste of effort and money.

TM  2009-07-18 06:29:32
The problem is that I want to protect the code that I'm written to a company that they ordered , now all my code are inside some DLLs ,Now they can reverse engineer that and get my code , I want to prevent them from doing so ,Is there anyway to do so or not ?
Sypress  2009-07-18 07:32:50
@Sypress no there is no practical way to stop them. Your only real defense is legal, not technical.
TM  2009-07-19 03:08:45
+1  A: 

Maybe not the best. If you are really ambitious, you can write your own web server (plugin).

But is it worth the effort?

Software is similar to a bike in the Netherlands, there is no known way of protection that is 100% safe. You use either a better protection than the other bikes (thieves are lazy). Or you must obfuscate the bike so they won't take it.

Another way to increase the level of protection is to use custom made ActiveX code to store mission critical algorithms. Of course, they can be reverse engineered, but javascript is easier.

Gamecat  2009-07-18 06:59:51
Good to know , thanks
Sypress  2009-07-18 07:41:39
+3  A: 

NO, obfuscation is not the best way to protect your code.

The tool you need to use is "copyright".

There is no (technological) way you can protect you code from someone determined enough (provided they have access to the binaries / scripts).

What you can do is prevent them from legally modifying/distributing your code.

lexu  2009-07-18 08:43:34
After learning of the methods and strategy which I used , How copyright can protect my code , their developers can learn everythingand use them anyway they want , at least I want to make as much hardship as I can to make my code safer and harder to be reverse-engineered . And also I want to have look at it's usability and performance , because maybe some security works effect them .thanks
Sypress  2009-07-18 09:43:38
How about selling the right to use your code to them .. or .. have them pay you to teach how it is done?
lexu  2009-07-18 11:05:01
It can be good , but I'm sure they won't pay any extra money , also I prefer to keep my work an exceptional one .
Sypress  2009-07-18 12:49:50
A: 

If your client side code has any broad value to others, it will get reverse engineered regardless of any obfuscation.

The reality is that it's likely not going to be broadly useful to many and there is a lot of other code out there to look at so probably not worth doing more than minifying the code which is plenty of obfuscation and if your code is large, it will improve download speed.

Have you considered the alternative? That it's a good thing to give somethings back to the community? I'm sure you've looked at the code of more than one site, no?

jottos  2009-07-18 08:59:25
+1  A: 

I you really want to protect your code, you should write native code using a native code compiler (C++, Delphi). This still does not guarantee that your code is 100% safe because any experience developer can read assembler and essentially disassemble the native code program.

A determined hacker will always find a way to get to what they want.

The best we can do is to make it hard or painful for the would-be hacker to get at our code and the following options can help us:

  1. Customize the CLR engine
  2. Run an obfuscation tool over your code and use name and control flow obfuscation and string encryption
  3. Make the application a Web-based application where all your proprietary code sits on a server somewhere
  4. Watermark your code using your own custom techniques to "throw off" the would-be hacker
  5. Implement techniques to prevent debugging (this is a very advanced topic!)

I really like a comment made by one of the head developers of the .NET framework where he said that he does not feel it's really the fact that others can get at our code that should be a concern to us, but rather, we should concern ourselves with the level of support we provide with our products.

So if we provide a good support base, it does not matter what the hackers do with our code, because the clients will trust us and our ability to support them using our product and not some cheap hacker-hacked program.

Mike J  2009-07-18 10:56:05
good info ,Thanks , Support is a good point that you mentioned ,The problem more is protecting as possible and make it hard to be reverse-engineeredalso I'm eager to know more about number 4 and 5 ,I really like to hear from head developers too
Sypress  2009-07-18 18:44:51

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps