[thelist] ProtWare's HTML Guardian... your thoughts.

Ken Schaefer ken at adOpenStatic.com
Mon Aug 23 07:16:00 CDT 2004 

Of course there are tools to reverse it.

It is important to understand that the ASP script engine itself must be able 
to get at valid code. So there are two options:

a) ASP script engine must be fed plain text code. That means that the code 
needs to be decrypted, and fed to the ASP engine. Well, if some component 
can decrypt the code, then so can I. Even if I can't work out what 
encryption algorithm you are using, I can attach a debugger and see what's 
being passed between the various processes.

b) ASP script engine (suppose it can be extended to support encrypted code) 
is fed encrypted code. To work out what the code say, the script engine must 
have some kind of key to decrypt the code. How do you keep the key secure 
when the server isn't yours? You can't. Wherever ASP gets the key from to 
decrypt the code, so can the bad guy.

Basically, if you are running your code on a machine that someone else 
controls, there's no way, ultimately, that you can keep your code secure.

Now, I look at the claims that this website makes about keep HTML secure. 
It's not secure at all - it's just encoded, and uses javascript to decode 
it. Well, anyone can do that. Remember, the browser on my computer needs to 
be able to read valid HTML, so somehow the HTML needs to be decoded back to 
valid HTML. Anything that can be done by script can be done by me as well.

Cheers
Ken

----- Original Message ----- 
From: "Craig" <cd-ml at aardvark.net.au>
Subject: Re: [thelist] ProtWare's HTML Guardian... your thoughts.


: Hi Ken,
:
: I've had a look at Microsoft Script Encoder but wondered how good the
: protection would be, seeing as it's free, so some hackers may have a tool
: already to decrypt it.
:
: Regards,
: Craig.
:
: ----- Original Message ----- 
: From: "Ken Schaefer" <ken.schaefer at gmail.com>
: To: <thelist at lists.evolt.org>
: Sent: Monday, August 23, 2004 4:58 PM
: Subject: Re: [thelist] ProtWare's HTML Guardian... your thoughts.
:
:
: > Given that they make a lot of promises about protecting HTML that are
: > exagerated (to say the least), I do wonder about their "ASP"
: > encryption (given that the plain text must be passed across to the asp
: > ISAPI extension).
: >
: > If you do want an encoder, Microsoft released one a while back
: > (Microsoft Script Encoder). I imagine that this product merely
: > duplicates the functionality of Microsoft's since there must be a
: > limited number of ways that you can "decrypt" or unobfuscate the
: > source before asp.dll gets it.
: >
: > Cheers
: > Ken
:
:
: -- 
:
: News! - Evolt.org conference for web professionals.
: 17-19 September 2004 in Toronto, Canada.
: Details at http://TOevolt.org
:
: * * Please support the community that supports you.  * *
: http://evolt.org/help_support_evolt/
:
: For unsubscribe and other options, including the Tip Harvester
: and archives of thelist go to: http://lists.evolt.org
: Workers of the Web, evolt !

More information about the thelist mailing list