Encrypting Web Pages

Colt blogs about Obfuscating Web Pages using a commercial product.

By looking at the sourcecode (View -> Source, since the right click was disabled), I was able to get to the javascript function they were using to “decrypt” the page. This took me 5 minutes and is very easy to figure out.

The fact is, because the script is interpreted at runtime, the scripting engine has to be able to decode the encrpyted data and needs information on how to do this. With the way the HTTP protocol works and current scripting technologies, if the scripting engine can get this information, so can the hacker. Even the Microsoft ScriptEncoder for encrypting VBScript has been broken.

It is unfortunate that there are many products out there that claim to protect client side javascript.

Only server side code can be protected (BTW, have you locked down your webserver using IPSEC? If not, you should consider doing so!)