Secured Client-Side script

views:

106

answers:

Secured Client-Side script

Hello there

I have got a particular requirement where some critical algorithms have to be handled in the client-side script and it got to be secured. Using javascript will just expose the algorithm. I am currently evaluating ways to secure the algorithm on the client script. Appreciate any suggestions and alternative approaches.

One option I am thinking about is to download a small applet to the local PC, get the calculations done in it and update the results back. Before deciding on this, I want to know if a client script itself can be made secure coz that would be much easier.

Thanks in advance!

+3 A:

You CANNOT secure anything on a client PC.

Everything you are doing client-side is crackable and spuffable.

That's the PC of the client. It will be doing anything the client has requested it to do.

EFraim 2009-11-24 16:41:53

+1 A:

Bottom line is, if someone wants your logic ... they will get it unless it is server-side and they never obtain it in any way.

What you want is a Javascript obfuscator

Aiden Bell 2009-11-24 16:42:22

No JavaScript obfruscator can *guarantee* anything.

EFraim 2009-11-24 16:42:58

I never said it could. hence the first line of my post.

Aiden Bell 2009-11-24 16:43:19

The point is that JavaScript obfruscator will give a false sense of security - when in fact there is little.

EFraim 2009-11-24 16:45:27

Hence the first line of my post.

Aiden Bell 2009-11-24 16:51:54

An NPAPI plugin will execute on the client-side and make reverse-engineering much more difficult.... but of course a determined hacker will be able to reach-through...

jldupont 2009-11-24 16:42:35

Really? Give me my debugger.

EFraim 2009-11-24 16:43:38

@EFraim: but of course you are capable of reverse-engineering it given a debugger! That's why I said **much more difficult** than e.g. obfuscate or not Javascript.

jldupont 2009-11-24 16:45:31

Care to explain the down-vote ? Or is it just a case of "drive-by-downvoting-without-a-good-reason" ?

jldupont 2009-11-24 16:46:21

I don't see how an NPAPI plugin will help. It's not encrypted in anyway, it's just native machine code instructions run on the client side. You'd achieve the same by just having them download a exe and run that. Anyone could read the machine code and figure out the algorithm.

Simon P Stevens 2009-11-24 16:46:51

I'm the one that downvoted. Reason explained in post above. I don't think NPAPI provides any significant extra security.

Simon P Stevens 2009-11-24 16:48:09

I had a friend in university that god fed up with a certain program crashing on him, so he decompiled it, stepped through the code with a debugger, fixed the bug, and then submitted a binary patch back to the company with the fix. If it runs on my machine I can see what it's doing, and it only takes the skills that a CS undergrad would have.

tloach 2009-11-24 16:48:17

This answer itself is not wrong, (though I personally would not upvote it) however, I have to emphasize it that every attempt to solve this client side is *going in the wrong direction* as stepfet said.

EFraim 2009-11-24 16:49:08

Guys- I used to do **lots** of reverse-engineering: I know for a **fact** that anything can be cracked. An NPAPI **can** provide additional security given the level of sophistication that is required. Is it **much** easier to use the integrated features of a browser such as Chrome **than** having to do through GDB and what not.

jldupont 2009-11-24 16:55:20

Everything is relative in this Universe: if you guys can't deal with **relativity** (as in something X is more difficult than something Y) then I am not the one with the problem.

jldupont 2009-11-24 16:59:16

@Jldupont: No one has a problem and no offence was intended by my downvote. Votes are simply a way of marking agreement or disagreement with a provided solution. I happen to disagree with your solution, but as you say this is about relative difficultly so this is a grey area. I accept your opinion and I'm sure others will agree with you too. I hope I have not caused you any offence.

Simon P Stevens 2009-11-25 09:27:59

Thanks for all your thoughts. Securing client-side script was a random thought, just wanted to see if there is some means to make it at least closer to native dlls. Won't be a piece of cake for novice reverse engineers. I will settle down for downloading native dlls to local PC.By the way, can you suggest a reverse-engineering book? Just curious to give it a try myself.

Dhurka 2009-11-26 12:20:59

I went through my "reverse engineering period" over 15+years ago... back then, much less books were available: I can't recommend one unfortunately.

jldupont 2009-11-26 12:40:06

+1 A:

Nothing on the client side can be totally "secure".

Anything you make them download will have to be run on the client PC, and so can be analysed. If you have them download an applet or a native executable, it will still contain machine instructions that can be analysed at the very least to an assembly level.

Is there no way you can have the client upload the data to your server instead and perform the calculation on the server side?

Simon P Stevens 2009-11-24 16:42:46

Server side is unfortunately not an option currently. Thanks for sharing your thoughts.

Dhurka 2009-11-26 10:40:43

+1 A:

It it's client-side, then it's not secure. Anything with critical security concerns should be done on the server.

Kaleb Brasee 2009-11-24 16:43:02

+1 A:

Script is not secure, also what level of security do you need? If you download anything to the client the client will be able to look at the algorithim. Of course if you download a native dll, then decompiling it will be harder, the question is if this is good enough.

That an important thing most people miss when evaluating security nothing is trully 100% secure. Because your server admin could go in and steal the binaries off your server. And if your using third party hosting who knows who has access to the server.

The idea is to raise the bar. Do you want to prevent the average script kiddie? Obfuscate it, make it hard for them to understand the gain of understanding the algorithim might not justify the pain in trying to understand it.

The best that you can probally do is keep the algorithim on the server and expose it via a web service.

JoshBerke 2009-11-24 16:43:17

Thanks Josh. I completely agree with you on nothing is 100% secure. I just didn't want the script to be very obvious. Downloading native dll would be better for now. Thanks again

Dhurka 2009-11-26 10:33:16

+2 A:

Everything that the end-user is controlling to 100% may be tampered with, and this is especially true with JavaScript that is so easily exposed.

You are going down the wrong path. You need to rethink your approach.

stefpet 2009-11-24 16:43:50

+1 A:

You could build a web-service containing the critical algorithm and call it from javascript.

Vinz 2009-11-24 16:47:50

ansaurus

tags:

views:

answers:

Secured Client-Side script

related questions