Solved

Reverse engineering encrypted websites

Posted on 2014-03-21
7
330 Views
Last Modified: 2014-03-27
This question may have nothing to do with security, but security is the term used by the developers I’ve been talking to. These developers are developing web services and a website based on the HTML5/JavaScript/CSS development model. They are concerned that people could reverse engineer their product since so much is in text. They know that encryption can be used to make it difficult to do this, but several hackers have been able to decipher supposedly encrypted websites. Is the concern about reverse engineering reasonable? Is there an effective way to encrypt such programs?
0
Comment
Question by:steve_webber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 15

Assisted Solution

by:jrhelgeson
jrhelgeson earned 250 total points
ID: 39945903
Nope.

In order for it to be viewed, it must be decrypted.

However, in a proper web application, all the coding is on the server that the client can never see, all that is displayed in the browser is the rendered content.  The back-end code is as secure as the web server platform is.
0
 

Author Comment

by:steve_webber
ID: 39945917
If the web page downloaded through a browser is HTML5 (not necessarily encrypted) and references a ".js" file, aren't these downloaded to the client site and therefore subject to discovery?
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39945998
Yes, but that is only the client side they can see.  It is the server side that makes things secure.  The design should contain server-side components that are secured and validate all their inputs.  The server side obfuscates the client side components.  If a hacker examines the client-side, they will hack it and start feeding the server-side bogus data to get it to crash.

Security should be the top consideration insofar as design is concerned.  My biggest infosec lesson I learned back in ~2000; up to that point - every software that was ever built, or network ever designed was done to share information, not secure it.  Only after we built these things did we then think about security.  Don't make the same mistake.
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 

Author Comment

by:steve_webber
ID: 39946061
I guess the real concern of those I'm talking to is that someone can reverse engineer the secret sauce about how the web application works. It is not as much a concern about securing the data. I guess with Ajax and most of the real algorithms being on the server things are safer, but that means changing things a good deal to not send HTML and JavaScript to the client. Is this how you see it?
0
 
LVL 15

Expert Comment

by:jrhelgeson
ID: 39946371
It's difficult to be precise without knowing your product, so I can only speak generally.
Therefore, generally speaking, the less you give to the client, the more control you will retain.

As a 'hacker' - I don't care two bits about your 'secret sauce' and nobody else does either. I'm interested on how I can use it against you, to manipulate it to get it to do something I want - which is usually something you don't want.

When it comes right down to it - there really isn't much of a way to stop people from figuring out how you're doing what you're doing.
0
 
LVL 53

Accepted Solution

by:
Scott Fell,  EE MVE earned 250 total points
ID: 39947118
The secret sauce should be on the server and that means your serverside code/api is doing all the work.   If you put your secret sauce in the js, there is nothing you can do to hide it.

As example.  Let's say your product is encryption and you want to demonstrate how you would use DES.  If you did this client side via javascript like the sample here https://code.google.com/p/crypto-js/#DES,_Triple_DES.  You can see below that your secret passphrase is in the javascript meaning anybody can see it.
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/tripledes.js"></script>
<script>
    var encrypted = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase");

    var decrypted = CryptoJS.TripleDES.decrypt(encrypted, "Secret Passphrase");
</script>

Open in new window

If you did this serverside where you posted a form to your server and did your encryption in your database or serverside code or even if you run your js serverside, your secret would not be seen.  I don't mean for this to be a discussion on the actual type of security here, just pointing out the difference.

I think what steve is talking about, "I don't care two bits about your 'secret sauce'" are the folks that may be scouring around your wordpress site for all the easy access you may have left open.  But you do have a valid concern. If I am your competitor, I may want to see how you do things.  There are a lot of lazy people that would rather "borrow" your method rather than being innovative on their own.
0
 

Author Closing Comment

by:steve_webber
ID: 39959742
My concern about implementing "secret sauce" proprietary algorithms in JavaScript for a website to see was validated. The only solution seems to be to hide everything on servers. Even better, make sure any source is not on servers that are visible on the internet. Leave only compiled code on the visible servers.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question