views:

306

answers:

12

I have some JavaScript code I need to encrypt, but I want to be sure no one can decrypt it.

What tools can I use to do this?

-- Edit --

I still want to run the code on my site, I just want to make sure no one else can decrypt the code.

+6  A: 

There is no way to do that. You can obscure it and have some domain checking code in it. Or you could have it served with a server-side script that checks the referring domain.

Daniel A. White
Thanks Daniel. If I obscure it and have domain-checking code, would people be able to decrypt it and change the domain it checks?
James Skidmore
Yes they would... obscure basically means the use of weird variable / function / class names, and remove all line breaks so the entire javascript is on one line.
ILMV
Since it's run on the client side if they are able to decode it they can easily remove the domain checking.Some of the idea to obfuscate your code below will help, but it's mostly a futile effort because the code is interpreted/run in the browser.
GnomeCubed
They don't even need to remove domain checking; good old "view source" and copy/paste would do.
musicfreak
A: 

I don't think you want encryption, unless you're going to write a browser extension that can decrypt the javascript.

I thing GWT, or even jsmin can sufficiently compress / obfuscate your javascript for normal use.

If you want to tie some client side code to your site, you may want to consider some sort of a random handshake that depends on a server-side method to 'validate' the javascript. I don't even know if that's feasible though.

John Weldon
+6  A: 

If you truly want to decrypt it so that no one else can decrypt it, you could use one of any number of encryptions. For instance, to do it manually, you could use TrueCrypt; or to do it programatically, use the encryption libraries available in most languages.

If what you are really asking, though, is how to obfuscate the code so that no one can reverse-engineer it, the answer is: you can't, not in Javascript or any other language. The best you can do is make it more difficult on the reverse-engineers by making it hard to read; for that, there are any number of tools:

BlueRaja - Danny Pflughoeft
+2  A: 

While not actually encrypted, Yahoo's YUI Compressor will compress and obfuscate your JavaScript for normal use and provides better compression that JSMin.

jschmier
The only problem is that the code often doesn't work after that. I've tried :(
Steven
That's because you need to run your code through JSLINT first, and make it pass the JSLINT test. Code fails from a minify due to mistakes in your code that standard (forgiving) JS interpreters don't complain about. Mainly insufficient semicolons.
Breton
+13  A: 

The Javascript code is executed in the browser, i.e. on the client side, which means it must be available not-encrypted on the client side.

The "best" you can do is probably to minify it, which will make it harder to understand it -- and a bit of obfuscation might do too -- even if someone really motivated will still be able to read it.

See for instance the YUI Compressor, which can both minify and obfuscate JS code.

Pascal MARTIN
Part of the value of minification, though, is that even if someone really dedicated can see the code flow, they still can't figure out just what you mean by variable "a" or "b".
Matchu
But a masochist will be able to analyze the code and understand it.
ChaosPandion
There are online code formatters which can "unminify" the code, so minification does not protect the code in any way...
Šime Vidas
@Šime Vidas - all they can do is improve the formatting. They can't figure out what a variable called `a` represents and name it usefully - unless computers have got sentient whilst I was napping.
Dominic Rodger
@Dominic - I was refering to the quote "to minify it, which will make it harder to understand it". Minifying does not make the code harder to understand.
Šime Vidas
+1  A: 

What you're looking for is obfuscation, not encryption. There are tools such as JSMin and the YUI Compressor that will make your code very unreadable, to the point where no one would want to try to make sense of it. However, there is no way to make it so that someone can't copy and paste it onto their own website and run it there. I wouldn't worry about it, honestly, because you'd be wasting your time trying to protect something that can't be protected. Try putting all your "important" logic on the server-side, if possible, because that's the only foolproof way to do it. If the browser can access it, so can anyone else.

musicfreak
+2  A: 

Microsoft used to provide Script Encoder to encode your JavaScript (and ASP and VBScript etc.) but the encoded script only worked in Internet Explorer so it was a big no-no (link)

Nowadays only obfuscation is an option. But you can break any obfuscation with tools like the Online JavaScript Beautifier so your out of luck. You can minimize and you can obfuscate but you truly can't hide what you are doing.

The best minimizer/obfuscator is probably Google Closure Compiler - it's very advanced and might turn your code into something very hardly understandable.

Andris
+2  A: 

There is no way to do so because at the end of the day, the code still has to run, unencrypted, on the client machine, which means the routine to decrypt the code has to be sent alongside the encrypted code. You're handing them both the lock and the key, all they have to do is turn.

Your best best is to run it through an obfuscator, but even then, its not like somebody won't be able to just rewrite it themselves without the need to attempt to read your code anyway.

mynameiscoffey
+1  A: 

I think you're confusing encryption with compiled binary.

Not even commercial closed-source software such as Microsoft Office or Adobe Photoshop are encrypted for distribution. But they are compiled to native machine code, which makes them hard to reverse engineer.

JavaScript has no such thing as a compiled binary. But, as more and more browsers move to bytecode compilation to achieve faster performance, we may someday have a compiled JavaScript source format. Perhaps, analogous to Python's .py and .pyc files, maybe we'll have a .jsc or JavaScript Compiled file, that can be delivered to the browser in binary form, to run in its JavaScript virtual machine.

No such thing exists yet though. And even if it did, this is just a more intense obfuscation. Obfuscation is fine for preventing casual copying and sharing, but if you need really protect your intellectual property, move the logic server-side.

darkporter
A: 

This is exactly DRM: you're giving the user a lock, and also the key to it, and expecting to be able to say what they can do with it.

It's theoretically impossible: if their computer can execute the code, it has to be unencrypted there.

It's practically impossible, too: look at everybody watching DVDs on Linux boxes to see how successful you can be.

Ken
+1  A: 

What you want is theoretically and practically impossible. People will tell you here that it is not possible and you might think "Well, that's because nobody has tried hard enough". No. It's impossible in the same way that calculating the nth prime number in linear or constant time is impossible. It's impossible in the same way that the halting problem is impossible to solve. "What do you mean 2+2 doesn't equal five? You're not trying hard enough!"

Not only is it impossible though, but the motivations for wanting this sort of thing are normally pretty misguided. It's always a fundamental mistake to attempt to use technology to solve a problem that is fundamentally a legal problem. You want to protect your code from "pirates" or competitors, perhaps? It's not likely that you've written anything particularly worth stealing, but if you have, and you don't want people to steal it, then your only true recourse is the rule of law.

However, on a larger level, your problem is not likely going to be competitors or pirates stealing your code. Your problem is going to be business oriented: Gaining an audience through making a quality product, and the right price, and with sufficient marketing. You do that right, someone stealing your code doesn't matter. You do it right, and having the "authentic original" will appear to have real value. In fact, if you release your stuff open source, it can only really help you, because then you have an army of interested amateurs working for you for free, potentially. Piracy and reverse engineering is actually a godsend because it means people are interested enough in your product to want to improve it. The best thing is to do whatever you can to let that happen.

If your business really does depend on keeping some javascript secret, then you've basically made a mistake in your business plan at stage 1.

If your business is selling a javascript library (such things exist!), then you're no worse off than any other seller of software. The best thing to do is to market it towards honest businesses that have no problem with giving you money. The people that pirate your stuff had no intention of paying you anyway- and get the fundamental disadvantage that they don't get your technical support, or regular maintenance updates.

If this is not a business effort, then I really have no idea why you're even bothering. Proper credit?

Breton
A: 

No can do! Wait for a compiler but do not hold your breath!

Square Rig Master