|
Home > Archive > Web Servers General Talk > July 2004 > Encrypt HTML on the fly?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Encrypt HTML on the fly?
|
|
| Steve W 2004-07-12, 6:01 pm |
| I'm looking for an Apache module that can encrypt and decrypt HTML
content on the fly so a View Source would look encrypted. I've found
problems that do it using JavaScript which is fine, but they all seem
to require static source. Is anyone familar with such a module that
could do it on the fly without requiring codebase changes to the
dynamic content?
Thanks,
Steve
| |
| Lachlan Hunt 2004-07-12, 6:01 pm |
| Steve W wrote:
> I'm looking for an Apache module that can encrypt and decrypt HTML
> content on the fly so a View Source would look encrypted.
If it were encrypted by the server, then how would the browser parse
it? View Source is one thing that you cannot and should not be trying
to prevent.
Even though, there are methods the encode every character as an
entity (eg. U[0...), but these are extremely easy to by
pass, especially with Mozilla's View Selection Source option in the
context menu. Anyway, What is the point? It's just HTML, CSS and maybe
some JavaScript, there's nothing really in there that needs much
protection. The only time you need to encrypt the HTML is for secure
websites so that the communication cannot be intercepteted and read by a
hacker, such as, for example, financial transactions involving credit
card numbers, or other personal details. But even then, the entire
source code is viewable by the user because it is decrypted by the
client before it is passed to the HTML parser and rendering engine.
> I've found problems that do it using JavaScript which is fine,
There are /no/ javascript methods that can do anything like this
successfully. JavaScript can always be disabled, but then there is no
way for javascript to modify the source code of a file in anyway.
> but they all seem to require static source. Is anyone familar with such a module that
> could do it on the fly without requiring codebase changes to the
> dynamic content?
No! Give up on such a silly idea.
--
Lachlan Hunt
http://www.lachy.id.au/
lachlan.hunt@lachy.id.au.update.virus.scanners
Remove .update.virus.scanners to email me,
NO SPAM and NO VIRUSES!!!
| |
| Steve W 2004-07-13, 6:03 pm |
| This requirement is coming from a client and we're unable to talk them
out of it. It can be done statically by something more than encoding
characters. Check out
http://www.share2s.com/protect.html#web-site-encrypt for an example,
but these programs do it not on the fly.
Lachlan Hunt <lachlan.hunt@lachy.id.au.update.virus.scanners> wrote in message news:<a7EIc.91457$sj4.5368@news-server.bigpond.net.au>...
> Steve W wrote:
>
> If it were encrypted by the server, then how would the browser parse
> it? View Source is one thing that you cannot and should not be trying
> to prevent.
>
> Even though, there are methods the encode every character as an
> entity (eg. U[0...), but these are extremely easy to by
> pass, especially with Mozilla's View Selection Source option in the
> context menu. Anyway, What is the point? It's just HTML, CSS and maybe
> some JavaScript, there's nothing really in there that needs much
> protection. The only time you need to encrypt the HTML is for secure
> websites so that the communication cannot be intercepteted and read by a
> hacker, such as, for example, financial transactions involving credit
> card numbers, or other personal details. But even then, the entire
> source code is viewable by the user because it is decrypted by the
> client before it is passed to the HTML parser and rendering engine.
>
>
>
> There are /no/ javascript methods that can do anything like this
> successfully. JavaScript can always be disabled, but then there is no
> way for javascript to modify the source code of a file in anyway.
>
>
>
> No! Give up on such a silly idea.
| |
| Bruno Wolff III 2004-07-13, 6:03 pm |
| In article <f12cd3d1.0407130656.342bd6b9@posting.google.com>, Steve W wrote:
> This requirement is coming from a client and we're unable to talk them
> out of it. It can be done statically by something more than encoding
> characters. Check out
> http://www.share2s.com/protect.html#web-site-encrypt for an example,
> but these programs do it not on the fly.
If you are using apache 2, you can add on an output filter that does whatever
encoding you want.
It doesn't look like it would be too hard to do the same kind of thing
as on the same page. You have a fixed string that defines a javascript
decoder using % escaped characters to obfusicate the function followed
by the encoded text. That shouldn't be too hard to generate using a filter
program. Especial since the page you referenced has a nice example for
you.
| |
| Lachlan Hunt 2004-07-14, 7:56 am |
| Steve W wrote:
> This requirement is coming from a client and we're unable to talk them
> out of it.
Don't give me that crap, just refuse to do it, or tell them it can't
be done. It creates too much of an accessibility problem and it doesn't
work
> It can be done statically by something more than encoding
> characters. Check out
> http://www.share2s.com/protect.html#web-site-encrypt for an example,
> but these programs do it not on the fly.
That page is a serious accessibility problem and the script doesn't
work. It took me about 2 seconds to press Ctrl+A, right click and
select View Selection source, and I got the whole HTML source without
any problems.
It's an accessibility problem because not every user agent has
javascript supported, or enabled. Try disabling script yourself and
viewing the page, you won't see anything!
The document does not validate, there's no doctype, plus 61 other
errors, and that's not including the generated HTML after the script has
executed.
Basically It doesn't work with any features that it was claiming:
1. Encrypt Html and hide html source code:
Easily bypassed, as I mentioned above.
2. Disable offline use, prevent "save as" function to save image
Saved the page correctly, but required disabling or removing the
script, but took less than a minute to override.
3. Set No Cache
Didn't bother checking, already saved all the files, why would I
need to check the cahce.
4. Fully disable the right mouse-click context menu
Ha? What a load of crap. I set mozilla to disallow that option
when I install it, but what's the point anyway, it can all be done
via other methods if need be, but it doesn't matter, it doesn't
work.
5. Disable text and picture highlight select,Disable image Drag drop;
Doesn't work, if it did I might have had trouble getting the whole
source decrypted, but it doesn't work
6. Disable Image Tools Bar in *IE6*
Need I say more? Who give a crap, they're annoying anyway!
7. Hide display links and address and messages in status bar
Again, I set mozilla to disable that ability of changing the status
bar. That also creates a usability problem, but any way, what's
the point? But so what? the user will get the real URI when they
visit the linked resource, unless frames are used, but they're just
another accessibility problem.
8. Disable Smart Tags
Who gives a #*@%? Why don't they do something useful and just
disable IE completely.
9. Disable Web pages printed
Didn't work!
10. Compress the Html code before encrypt
Ever heard of deflate, or g-zip compression done on the fly by the
server? What a waste of time.
So, in conclusion, this script is a piece of crap that doesn't work
and creates serious accessibility problems. If my boss asked me to do
something that bad, and refused to listen to reason, I'd just walk out,
without looking back. People that think like that don't deserve to have
websites on the internet, and can go get stuffed. I recommend you pass
this email on to your clients and let them know how $%@#*! they are!
--
Lachlan Hunt
http://www.lachy.id.au/
lachlan.hunt@lachy.id.au.update.virus.scanners
Remove .update.virus.scanners to email me,
NO SPAM and NO VIRUSES!!!
|
|
|
|
|