Peter Michaux wrote:
On Aug 21, 1:51 pm, Randy Webb wrote:
>Peter Michaux said the following on 8/21/2007 12:33 PM:
>>On Aug 21, 8:41 am, The Magpie wrote:
Martin Mücke wrote:
>>>>I am looking for a good javascript obfuscator [snip]
In my opinion, there are no "good obfuscators".
>>And why is that?
Ummm, because there aren't any? :)
>What is your criteria for a good obfuscater?
In principle an obfuscator is something that renders something else more
obscure (Note that the question asks for an obfuscator and not a
minimiser, so presumably minimisation is not the/a point). The criteria
for what would represent a good would depend on why an increase in
obscurity is desired. There would be some standard of 'sufficiently'
obscure, to satisfy the assumed need, and a good obfuscator would be one
that achieved, or exceeded, that level of obscurity.
Does it necessarily have to deal with every possible bit of
code that could go in script tags?
Or just deal with the subset of code that you write?
That is quite a strange question. The code that any individual may write
may include anything that javascript allows. Anything that works on
javascript source code should be required to handle everything that
javascript can do.
Do you minify your code at all?
It is obfuscation not minimisation that is the subject here.
>The problem isn't a good/bad obfuscator, the problem is
that even if you have a "good one" it is a wasted effort.
Not a total waste, it makes it harder/slower to understand
the code and so will throw off some wimpy thieves.
As has been pointed out before, if that code that is being written uses
any moderately 'advanced' techniques the odds are already good that it
is beyond the comprehension of your "wimpy thieves". I cannot remember
the name that is used, but the HTML groups talk of the principle that
the worth of any web source code is inversely proportional to the effort
made to conceal it.
If the value of smaller downloads
You are back to minimisation again. Because HTTP 1.1 introduced
standards for transition of content zipped/compressed, and user agents
support it, the size reduction effects of minimisation are not nearly as
significant as superficial observations may suggest. It has even been
demonstrated that some source code size reduction strategies have a
negative impact on subsequent zip compression, making the actual
downloads larger (if only fractionally).
and moderate protection
Moderate relative to what exactly?
exceeds the cost of development/maintenance of the
obfuscator then on balance an obfuscater is a good idea.
So you are not including the cost of QA on the post-obfuscated code?
>>That is almost like saying there are no "good compilers."
If the obfuscator goes all the way by parsing the code and
building an abstract syntax tree there is certainly a
possibility of a good obfuscator.
Isn't being able to handle the code as real javascript more of a
criterion for not declaring the obfuscator as unacceptably bad, rather
than a reason for declaring it good?
>>I believe that the YUI and Dojo tools use the Rhino
engine to parse the JavaScript and then analyze the
AST. These strip IE conditional comments but I don't
think that limits them from begin "good".
I have never liked IE conditional comments and I do not use them, but
realistically they are used so any obfuscator offered for general public
use should be designed to cope with them before it can even be
considered suitable for consideration.
So you think a program that breaks otherwise properly
working code can be called "good"?
Sure a minifier/obfuscater can be good but it may not be
perfect because it may have a bug. An obfuscater is a
JavaScript-to-JavaScript compiler.
Some may be, but certainly not all on offer are.
All compilers have bugs
but that doesn't mean we write everything in assembly. When
a compiler bug crops up we fix it.
If you are writing a compiled langue then you have no choice but use a
complier. Obfuscating javascript source code is absolutely optional, and
it has drawbacks including questionable effectiveness at addressing its
objectives, making post-obfuscation maintenance and debugging of the
code harder that it may have been otherwise and requiring that the
post-obfuscated code is fully QAed so that any problems that may have
been introduced by the obfuscation process can be identified.
Richard.