I am looking to protect the code of my Firefox extension because it has server calls in it that no would be a security risk if someone could make them outside of the extension. Any suggestions on how to encrypt it?
A:
If it's going to be executed on the client side, with no reliable secret, then basically you've definitely got a security vulnerability.
It's hard to suggest ways round this without knowing a bit more about your extension. An obvious suggestion would be to request a username/password, authenticate (over HTTPS) with the server and receive a time-limited token, and then present that token with the "dodgy" request. That won't stop anyone with the right username and password though...
Jon Skeet
2008-11-11 14:16:26
+4
A:
This is basically impossible. You want to give executable code to an untrusted client that has "secret" calls in it, yet not let the client know the secrets? How, then, is it going to execute the code?
At some point, it must be decrypted. Which means the client has everything it needs to perform the decryption, which means a user can do it, and build a malicious version of your extension.
The only choice you have is to redesign such that vulnerable services are not publically exposed.
Adam Wright
2008-11-11 14:23:48