Solved

Reverse engineering encrypted websites

Posted on 2014-03-21
7
325 Views
Last Modified: 2014-03-27
This question may have nothing to do with security, but security is the term used by the developers I’ve been talking to. These developers are developing web services and a website based on the HTML5/JavaScript/CSS development model. They are concerned that people could reverse engineer their product since so much is in text. They know that encryption can be used to make it difficult to do this, but several hackers have been able to decipher supposedly encrypted websites. Is the concern about reverse engineering reasonable? Is there an effective way to encrypt such programs?
0
Comment
Question by:steve_webber
  • 3
  • 3
7 Comments
 
LVL 15

Assisted Solution

by:jrhelgeson
jrhelgeson earned 250 total points
ID: 39945903
Nope.

In order for it to be viewed, it must be decrypted.

However, in a proper web application, all the coding is on the server that the client can never see, all that is displayed in the browser is the rendered content.  The back-end code is as secure as the web server platform is.
0
 

Author Comment

by:steve_webber
ID: 39945917
If the web page downloaded through a browser is HTML5 (not necessarily encrypted) and references a ".js" file, aren't these downloaded to the client site and therefore subject to discovery?
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39945998
Yes, but that is only the client side they can see.  It is the server side that makes things secure.  The design should contain server-side components that are secured and validate all their inputs.  The server side obfuscates the client side components.  If a hacker examines the client-side, they will hack it and start feeding the server-side bogus data to get it to crash.

Security should be the top consideration insofar as design is concerned.  My biggest infosec lesson I learned back in ~2000; up to that point - every software that was ever built, or network ever designed was done to share information, not secure it.  Only after we built these things did we then think about security.  Don't make the same mistake.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:steve_webber
ID: 39946061
I guess the real concern of those I'm talking to is that someone can reverse engineer the secret sauce about how the web application works. It is not as much a concern about securing the data. I guess with Ajax and most of the real algorithms being on the server things are safer, but that means changing things a good deal to not send HTML and JavaScript to the client. Is this how you see it?
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39946371
It's difficult to be precise without knowing your product, so I can only speak generally.
Therefore, generally speaking, the less you give to the client, the more control you will retain.

As a 'hacker' - I don't care two bits about your 'secret sauce' and nobody else does either. I'm interested on how I can use it against you, to manipulate it to get it to do something I want - which is usually something you don't want.

When it comes right down to it - there really isn't much of a way to stop people from figuring out how you're doing what you're doing.
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 250 total points
ID: 39947118
The secret sauce should be on the server and that means your serverside code/api is doing all the work.   If you put your secret sauce in the js, there is nothing you can do to hide it.

As example.  Let's say your product is encryption and you want to demonstrate how you would use DES.  If you did this client side via javascript like the sample here https://code.google.com/p/crypto-js/#DES,_Triple_DES.  You can see below that your secret passphrase is in the javascript meaning anybody can see it.
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/tripledes.js"></script>
<script>
    var encrypted = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase");

    var decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase");
</script>

Open in new window

If you did this serverside where you posted a form to your server and did your encryption in your database or serverside code or even if you run your js serverside, your secret would not be seen.  I don't mean for this to be a discussion on the actual type of security here, just pointing out the difference.

I think what steve is talking about, "I don't care two bits about your 'secret sauce'" are the folks that may be scouring around your wordpress site for all the easy access you may have left open.  But you do have a valid concern. If I am your competitor, I may want to see how you do things.  There are a lot of lazy people that would rather "borrow" your method rather than being innovative on their own.
0
 

Author Closing Comment

by:steve_webber
ID: 39959742
My concern about implementing "secret sauce" proprietary algorithms in JavaScript for a website to see was validated. The only solution seems to be to hide everything on servers. Even better, make sure any source is not on servers that are visible on the internet. Leave only compiled code on the visible servers.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question