I am fairly new with silverlight and I really find it cool. I have a question about how it runs the code client-side tho..
Say for example, I have a site that calculates a certain amount based on user inputted amounts. This of course I would love to do client-side. The catch though, is that the formula used for the calculation is proprietary and a trade secret. If I put this formula client-side using SL, will it be safe? Or can it be reflected?
If you want to keep algorithms secret, don't push it to the client side. No form of obfuscation or protection is ever perfect.
Also, when you have calculations on the client side, you should always check the results on the server, rather than just assuming they're correct. Assume that the client is compromised.
Silverlight pushes the XAP file to the client. The XAP file is simply a zip file containing your .NET assemblies, which can then be unzipped and reflected against. The company I work for (PreEmptive Solutions) markets Dotfuscator, which can obfuscate Silverlight assemblies. Right now you have to unzip the xap, obfuscate and zip them back in, but we're working on improving the workflow.
Just a note to Dotfuscator users: If you create a Dotfuscator project, you must use the "User Defined Assembly Load Path" property in the "Settings" tab to browse to the Silverlight libs. The paths you need are:
\Program Files\Microsoft SDKs\Silverlight\v2.0\Libraries\Client
or on 64 bit operating systems:
\Program Files (x86)\Microsoft SDKs\Silverlight\v2.0\Reference Assemblies
I must COMPLETELY agree with Marcus. Even obstruficated .NET assembly is still easy to read for a good programmer.
My solution would be WCF service for the calculation. Just push all the data there and give an answer. If your formula is top secret and not obvious (like a*x+b*y+c*z) then even is somebody would get access to service, then it wuold be hard for him to get it.
Don't fall into a trap of think hiding the algorithm will protect it. Once you put it on the web somebody will figure it out no matter what you do. With enough sample data anybody with some math skills should be able to figure out your algorithm.
All you can do is make it harder. If this algorithm is is something proprietary that you have bought then it will need to be server side. Putting the algorithm on the client side is essentially publishing it and you could be liable.
IntelliLock and .NET Reactor (my preferred tool) obfuscates my assemblies nicely.
While obfuscation is not a fool-proof method, it makes it that much more difficult for somebody to see your code. One has to really jump though convoluted hoops to get to your final code if the layers of obfuscation are good. Crypto Obfuscator is one obfuscator which supports obfuscation of Silverlight assemblies.
Another cool tool is CodeFort. It has free edition. See it in action at http://www.codefort.org
CodeFort .NET & Silverlight Obfuscator
CodeFort is an advanced obfuscator and protection tool for Microsoft .NET and Silverlight applications.
BAML and XAML obfuscator - obfuscate 100% of your code
CodeFort is the first tool ever to be able to obfuscate identifiers inside the XAML and BAML code which is used in Silverlight and WPF applications. This makes it for the first time possible to obfuscate 100% of your code.
Powerful protection against attackers
Coupling the XAML/BAML obfuscation with powerful protection features such as Reference Scrambling and Anti-Tampering CodeFort is a state-of-the-art obfuscating tool.