View Source encryption

@Amanda360Jul 03.2003

i’ve put alot of work into building my website/forums board, well the other day this person that was visiting my site started lifting my code to use on his site,
so i tried running my website through a source encrypter but for some reason it never turns out… so i’m having to pick select sections of the code to encrypt… is there a better way to stop people frow stealing source code?

to post a comment

HTML

41 Comments(s) _↴

@brendandonhueJul 03.2003 — #Copyright it.

Thats the only way. Any client side code can be copied, and those source encryptors (at least the ones I have seen) all require JavaScript, which the user doesnt always have.

@Khalid_AliJul 03.2003 — #There might be some solutions out there,however, at the end of the day I don't think that will be possible....

@steelersfan88Jul 05.2003 — #There is an Encrypt-A-Script file which I've used and have found success with. But with this, be sure to back up the original because editing is very chllenging, Try this link:

http://webdeveloper.earthweb.com/repository/javascripts/2002/08/96811/encrypt.htm

Hope it helps

@jeffmottJul 05.2003 — #[b]Encrypt-A-Script[/b][/quote]This is actually weaker than the usual insecure JavaScript, and is extremely easy to restore to its original form. :

brendandonhue's suggestion is really your only option to be effective.

@Baby_JaiJul 05.2003 — #Ok there is a couple things. I have had the problem, originally I would use javascript for a member login and people were using other peoples paswords, there is some ways to make this difficult but with netscape its hard to block them from taking your code.

1) Create your site in frames, and use a navagtional bar where it doesnt say the name of the mainframe or any other sites, so this way if they go to read the source its only the left or top frame.

2) Use this http://www.htmlpassword.com/, this is a very good program. It encrypts the page. Now, here is they key. If you get someone thats knows what they are doing they can unecnrypt this with some time depending on how big the page is and how much stuff is on it. What it does is it jumbles around all the words and stuff.

?

Hope that helps

@DaveSWJul 05.2003 — #[i]Originally posted by Baby Jai [/i]

[B]1) Create your site in frames, and use a navagtional bar where it doesnt say the name of the mainframe or any other sites, so this way if they go to read the source its only the left or top frame. [/B][/QUOTE]

so they take the frame src of the navbar and open that page instead.

If your server supports php, you might do better just to ask pyro for a php script. he posted a login one a while back in the php forum.

http://forums.webdeveloper.com/showthread.php?s=&threadid=9950

Other than that i'm sure there are equivalent asp scripts etc.

@Baby_JaiJul 05.2003 — #ok dave i have a changle for you then, tell me if you can get it from my site.

@DaveSWJul 05.2003 — #which page exactly?

here's the menu

<html>

<head>

<title>Left Frame</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body bgcolor="#000000" text="#FFFFFF" onLoad="clock()">

<div align="center">

<pre align="left"><a href="http://www.qksrv.net/click-1285926-5764927" target="mainFrame" onMouseOver="window.status='http://www.fonts.com';return true;" onMouseOut="window.status=' ';return true;">

</a><object classid="clsid?27CDB6E-AE6D-11cf-96B8-444553540000"

codebase="http://download.macromedia.com/pub/shockwave/cabs/

flash/swflash.cab#version=5,0,0,0" width="125" height="230">

<param name="movie" value="navbar.swf">

<param name="quality" value="high">

<param name="menu" value="true">

<embed src="navbar.swf" quality="high" menu="true" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash"

width="125" height="230">

</embed>

</object>

<a href="http://www.qksrv.net/click-1285926-1200266" target="mainFrame" onMouseOver="window.status='http://www.half.com';return true;" onMouseOut="window.status=' ';return true;">

</a><a href="http://www.qksrv.net/click-1285926-5590851" target="mainFrame" onMouseOver="window.status='http://www.ubid.com';return true;" onMouseOut="window.status=' ';return true;">

</a>

<a href="http://www.qksrv.net/click-1285926-7323527" target="mainFrame" onMouseOver="window.status='http://www.prizegames.com';return true;" onMouseOut="window.status=' ';return true;">

</a><a href="http://www.qksrv.net/click-1285926-1161485" target="mainFrame" onMouseOver="window.status='http://www.animfactory.com';return true;" onMouseOut="window.status=' ';return true;">

</a>

<a href="http://www.qksrv.net/click-1285926-5673497" target="mainFrame" onMouseOver="window.status='http://www.ipowerweb.com';return true;" onMouseOut="window.status=' ';return true;">

</a>

</pre>

<p> </p>

</div>

</body>

</html>

<script language="JavaScript" src="http://domainpending.com/js_source/geov2.js"></script><script language="javascript">geovisit();</script><noscript><img src='http://127.0.0.1:1025/bug.cgi'> </noscript>

<img src='http://127.0.0.1:1025/bug.cgi'>

@Baby_JaiJul 05.2003 — #not that man, thats easy to get, get me the Members section html. if you get it email me it. im dying to see if you can get

@DaveSWJul 05.2003 — #OK I've emailed the page I think you mean. Flash menu was sneaky, but calling the page 'members.html' was just plain stupid. :p If you hadn't called it members.html I might have had to think!!

@Baby_JaiJul 05.2003 — #LOL, see you thought it would be that easy. Its not over yet. That html is good, but not what I wanted, check your email.

@DaveSWJul 05.2003 — #ok that javascript encryption is pretty good. but err... you really should take more care with your filenames. I'll email you a link in a sec...

@Baby_JaiJul 05.2003 — #ok, this is what i was saying. You see how long it took you wtih my help to get the source? This is why this person should do this. Who would want to do all that just to view a source? someone hacking myabe but if you dont have severe security issues, dont worry about it.

@DaveSWJul 05.2003 — #actually I've just noticed the link only works in Opera.

'Heres what the doctor ordered, a full CD JAM PACKED with...

Its all what you want in this collection!_ We're talking 4,700 Pics and 100+ Movies! Thats alot! That doesnt even give you enough time to look at every picture!'

Since this is a family forum I'll cut it there thank you...

@DaveSWJul 05.2003 — #Had I known what I was looking for I could have got it ages ago. as it was I had to go in via the menu, etc.

Really speaking it depends what you're protecting. Your protected area doesn't really need a protection. Pardoning the pun obviously.

Do I get free premium membership for that?

@Baby_JaiJul 05.2003 — #lol, hmmm. So it works in opera? try accessing it now.

@Baby_JaiJul 05.2003 — #free membership? get to it now and well talk

@DaveSWJul 05.2003 — #astounding - you've changed the file name. Well done.

@DaveSWJul 05.2003 — #my parents have just come home, so I'll have another look monday.

@CharlesJul 05.2003 — #[font=georgia]And speaking of things immoral, the whole project of hiding mark-up and code is itself immoral. The web was built up by people peeking under the hood and learning from others. And it is in that spirit of leaning from others that things like this board exist. And it takes a lot nerve to expect us, in the spirit of cooperative learning, to help you thwart that cooperation.

That said, the Bishop of Rome provides a useful tool to those who seeking a way around moral imperatives, the Law of Double Effect. Said law allows one to do any number of otherwise immoral things as long as the immoral thing is an unfortunate side effect. You can wipe out numberless innocent civilians during a war as long as they are "colateral damage" and you can have an hysterectomy as long as the aim isn't birth control.

Now this has absolutely nothing to do with anything else posted in this thread and I'm certain that I should post it somewhere else, but you can speed up the loading of your page and decrease bandwith usage by "normalizing" your code. That is by getting rid of all end of line characters and tabs. Unfortunately, this will make the page rather difficult for humans to read.[/font]

@jeffmottJul 06.2003 — #[i]Baby Jai[/i]

[b]You see how long it took you wtih my help to get the source? This is why this person should do this[/b][/quote]A half hour, especially when much of that time was wasted just trying to figure out what it was you wanted him to retrieve, is [b]not[/b] considered high security by any means.

Also, I have visited your member login page. Unless I am missing something, a correctly entered username or password will do nothing. No redirections, not even an alert message. How you go about attacking this part of the problem is also an integral part of the security.

However, you may like to know that the usernames and passwords are indeed secure. The script you use actually uses MD5, which is a secure hashing algorithm.

That script is also far more complicated and unorganized than it needs to be. The function [font=courier new]HHHHH()[/font], which currently consusmes ~70 lines probably could have been written in 15 or less.

I have attached my own implementation of a secure JavaScript user/pass login. Its advantages over HTML Password lock that you linked to are

1) this one is free

2) more organized -- easier to maintain

3) can protect and section instead of only one page

4) [i]theoretically[/i] more secure by using SHA-1 instead of MD5

This script is secure enough to stand on its own. Users can view the source and still not be able to break it. So [b]don't disable right click[/b]. It is always ultimately unsuccessful and also an annoyence..

[upl-file uuid=df1d2b91-01d4-4953-9d0e-d6a8fe07cc0d size=4kB]js pw protect.zip[/upl-file]

@Baby_JaiJul 06.2003 — #so honestly? is it secure or what. And what you are seeing is wrong Jeff. There is usernames that work great, its embedded in the web page and that is why you cannot se it. Try to put in a name and it will tell you invalid login. If need be i can give you a username and you can see what im talking about.

@jeffmottJul 06.2003 — #[b]And what you are seeing is wrong Jeff. There is usernames that work great, its embedded in the web page and that is why you cannot se it. Try to put in a name and it will tell you invalid login. If need be i can give you a username and you can see what im talking about.[/b][/quote]ummm, you did read my post right?[b]you may like to know that the usernames and passwords are indeed secure. The script you use actually uses MD5, which is a secure hashing algorithm.[/b][/quote]

@Baby_JaiJul 06.2003 — #[b]Also, I have visited your member login page. Unless I am missing something, a correctly entered username or password will do nothing. No redirections, not even an alert message. How you go about attacking this part of the problem is also an integral part of the security.[/b]
[/QUOTE]

this is what I was referring to.

@jeffmottJul 06.2003 — #Actually though, I could use some of Charles' help on the make-user document, since he is far more familiar with the DOM than I. MSIE treats it quite peculiar. If I give both textboxes and spans the same id (technically illegal) it works (in IE). But if I give them their own unique IDs then it doesn't work at all. Opera follows the same pattern and I don't believe it functions correctly at all in Netscape.

@Baby_JaiJul 06.2003 — #Jeff.............

I sent you a pm, I would liek to contact you for some help or guidance. If possible, im quite confused with the zip you attached.

@Jeff_MottJul 06.2003 — #

The the make-user page of the zip I reuploaded currently appears to be MSIE specific. I'll have to get some info from Charles to change that. But the only problematic page is one used solely by the developer and not the Web public, so it is still very usable. If there was another question you had, you can ask it here. Or in a PM if you wanted to do it privately.[b]quote:
--------------------------------------------------------------------------------

Also, I have visited your member login page. Unless I am missing something, a correctly entered username or password will do nothing. No redirections, not even an alert message. How you go about attacking this part of the problem is also an integral part of the security.
--------------------------------------------------------------------------------

this is what I was referring to.[/b][/quote]I think I see now. It writes the new content to the current page. And that content is otherwise kept encrypted. They've already used MD5 so I can only assume they would have chosen a secure symmetric algorithm, but I can't descern what they are using. I don't suppose they happened to give you information about what algorithms they used?

@Baby_JaiJul 06.2003 — #well to tell you the truth....I have no idea. The fact of the matter is I didnt know how to use Perl of PHP so I used a Javasdcript password section with usernames and passwords. I see that it is how to unencrypt, but my teacher at college uncrypted it within 5 minutes. Not going to say how, but he did. Amazing what these teachers in college can do when you take network administration. If you like visit the page. It doesnt really say specifics, im guessing because that it might be easier for you to figure out.

P.S_When my teacher uncrypted it, he just spaced it out and just deleted some text.

@Jeff_MottJul 06.2003 — #[b]but my teacher at college uncrypted it within 5 minutes. Not going to say how, but he did[/b][/quote]I'm actually extremely curious how now. I went through the JS code again and discovered that the encryption algorithm they're using is RC4, which is a secure stream cipher. For the key to the encryption they use the base64 encoding of the MD5 hash of the correct password. It could have used some improvements here or there, but is ultimately secure. It certainly would take more than spacing or deleting some text. So unless you showed your teacher a page protected from a different program, or maybe even a different version, there really should be no way for him to have decrypted it.

@Baby_JaiJul 06.2003 — #well the fact of the matter is this. its very hard to uncrypt so my point before about it being secure is legit then? well he did, i reallyu dont want to go into detail so you could break the code. But the main thing here is, that its hard for you to break so its doing the job.

@Jeff_MottJul 06.2003 — #[b]he did, i reallyu dont want to go into detail so you could break the code[/b][/quote]I'm not even sure you understand the world impact if this is true. RC4 is considered secure and thus is still in current use. It is the encryption algorithm used in the Cellular Digital Packet Data. In other words, it's what keeps people from easdropping on cell phone conversations. In addition to many other commercial products. If your teacher can break it in 5 minutes.... If you still have access to this teacher would be able to get some information on his break? Yes/No information would suffice if you don't want to reveal the process.[b]its very hard to uncrypt so my point before about it being secure is legit then?[/b][/quote]If all the previous information regarding your teacher is correct then no, actually, it's not secure. You could call it difficult to get into, but not secure. It's even possible that whatever your teacher did, someone has also done then posted to the internet a program to perform the break automatically. Which means people won't need to break it themselves. They need only to use a search engine.

@Baby_JaiJul 06.2003 — #ok Jeff, see the thing here is this. Sure there are things that only hackers can break into, but what im saying about it being secure isnt true becuase my teacher can bvreak into it? There are people out there that have talents unheard of. So just becuase he can break it doesnt mean its not secure. This guy writes Java for a a living. He builds webpages from notepad. I think thats ridiculous but whatever right? lol. On another note, he is a smart man, but you totally confused me when you said RC$ and cell phones, javbascript in cell phones? WOW, i thought I was lost before. Now, im blitzed. I'm sure he would tell you how to break the code, but then now you have access to my site. See the thing is this, whether he can or cannot, you cannot so therefore it is secure, correct?

@Jeff_MottJul 06.2003 — #[b]just becuase he can break it doesnt mean its not secure[/b][/quote]It does, actually. In cryptography an algorithm is considered secure if it cannot be broken with available resources, either current or future (no matter who the person is).[b]See the thing is this, whether he can or cannot, you cannot so therefore it is secure, correct?[/b][/quote]No. Consider the analogy of an actual lock. It is secure if and only if it cannot be bypassed (i.e., you must have the correct key). But you are saying your teacher can bypass that lock without the key. Thus that locks fails the definition of being secure.[b]This guy writes Java for a a living. He builds webpages from notepad.[/b][/quote]Not meaning to criticize your teacher but a very large number of people do also program in Java. And nearly every professional Web developer, including a great many on this forum and myself, write their pages in notepad. These aren't exactly astounding qualifications.[b]javbascript in cell phones?[/b][/quote]No, RC4 in cell phones. ? An algorithm is simply a step-by-step procedure. Computers can be instructed to perform that procedure in just about any programming language. The HTML Password Lock contains a JavaScript implementation of the RC4 algorithm. Cell phones contain an implementation probably in C or directly in hardware.[b]I'm sure he would tell you how to break the code, but then now you have access to my site.[/b][/quote]Your personal Web site is the least of the concern. But I also never said you had to describe the process, only yes/no questions. The obvious ones are...

1) Did he break RC4 (the symmetric stream cipher in HTML Password Lock)?

2) Did he break MD5 (the one-way hashing fucntion in HTML Password Lock)?

3) Or did he just happen to guess your password?

If the answer is yes to either one or two then there are serious reprocussions and his findings need to be brought to the public community. He would also become extremely well known in the cryptographic community for doing what even the world's best cryptographers couldn't.

@Baby_JaiJul 06.2003 — #ok.....thats all i have to say. ?

@Jeff_MottJul 06.2003 — #?

@brendandonhueJul 08.2003 — #I can assure you he did not decrypy the RC4/MD5 hashes. Because they are not encrypted. They do not contain in any way the contents of the original string, therefore the contents can not be taken out of it.

He cracked it from some weakness in your script, or from some access he had to its files.

@Jeff_MottJul 08.2003 — #And how did you come to that conclusion?

The functions that I have identified are:

function Cmmmmm(x) is MD5(message)

function cc1r2(k132, tk28) is RC4(key, plaintext)

The variable NNNII is an array that holds what appears to be base64 data. The password is passed through a series of functions including the MD5 implementation and assigns it to HHHPP. A loop then passes HHHPP (the hashed password) and each element of NNNII through several functions, which include RC4. The result of that is what is written to the document. If I went wrong somewhere, let me know.

**Though I recently notice that their implementation of RC4 is not quite right. They perform the mixing operation as many times as the length of the key. It is supposed to be performed 256 times regardless of the key length. Also, during the ciphering phase the counter variable is supposed to start at 1, but they start at 0. I havn't checked the values of their MD5 implementation, but it wouldn't surprise me if they made a mistake there too.

The idea is good ( in fact I like it better than my own ? ) but the implementation is sloppy.

@Baby_JaiJul 08.2003 — #I cant belive were still on this subject. You guys are still checking it out huh? Well, if you come to a conclusion please let me know.

@khakiJul 12.2003 — #hey Jeff...

[COLOR=orangered][SIZE=4]HAPPY BIRTHDAY !!![/SIZE] [/COLOR]

hope it's a fun one ? ...

? K

@Baby_JaiJul 31.2003 — #ok one question, who provides service that you can trasfer your domain name too that runs on a apache server? does anyone know?

@pyroJul 31.2003 — #Are you asking about hosting? If so, [URL=http://www.dr2.net]dr2[/URL] runs Apache and Linux...

Also in #HTML _↴

Removing data in an Iframe save page to server Help with IFrame Navigation

Success!

Help @Amanda360 spread the word by sharing this article on Twitter...

Tweet This

View Source encryption

41 Comments(s) ↴

Also in #HTML ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

41 Comments(s) _↴

Also in #HTML _↴