html protection stuff - Page 3 - HTML Forums

scoutt · 09-02-2006, 10:19 AM

ok, my turn

- You CAN hide or 'disable' source code
ah no you can't. even in encryption, the output is ALWAYS html. disabling source code is stopping a user from right clicking and view source, or view-> source from the menu. You cannot take those away.

- You CAN disable someone viewing your page offline
again, file ->save as. or in IE, it ALWAYS gets saved to your pc. once it is offline who cares about refresh methods, you just don't get the most current verson this way. but if refresh is used, it just refreshes the offline-conent. again, IE stores it on your pc

- You CAN disable right click
like you said, you can disable javascript so this one is pointless but yes it can be done.

- You CAN stop text/images from being copied to the clipboard
even if you use layers I can still copy the image to my clipboard. not sure about IE but in firefox I can go to page info and just save the image you just covered.

that is why it is imortant to use watermarked images, all this is nullified if you do cause who wants to save a watermarked image??

and there you have it

Juparis · 09-02-2006, 01:01 PM

Point taken, but I have just one question (personal experience/troubles from IE):

Quote:

Originally Posted by scoutt

- You CAN disable someone viewing your page offline
again, file ->save as. or in IE, it ALWAYS gets saved to your pc. once it is offline who cares about refresh methods, you just don't get the most current verson this way. but if refresh is used, it just refreshes the offline-conent. again, IE stores it on your pc

What if you set a cookie? Ok, first you have to set one of those annoying pages that say "You have disabled cookies. Please allow them to view the following page." Then, with that cookie, you could set an expiration date on the webpage, so that if the user tries to open the page offline (even if it were just one second after viewing it online), it comes up as another annoying page saying "You must be online to view this page" or "Server not found" or whatever the heck it is.

Anyway, if you have the page refresh after a while, the page couldn't be reloaded offline because of the expiration.

Am I getting at something, or am I just way off base?
I remember in ye olde days, I'd get frustrated because, just minutes after logging off, I'd go under the History in IE and find that I couldn't view some pages unless I logged on again..

erisco · 09-02-2006, 01:17 PM

Juparis, you have to remember that anything server side is not saved onto their computers. They can download a completely dynamic page, but that page itself won't change because only the source comes with it.

I don't see what a cookie would do, if you set the cookie with javascript then the cookie exists. You can also make cookies, and I don't see what an expiry date would do, the cookie can just be reset.

Also page encryption is not what it sounds like. You hand them the key right in your source of how to decrypt the encryption. Not to mention everything is outputted as HTML so there is no benefit.

Juparis · 09-02-2006, 01:33 PM

The encryption method - the computer understand the key, the user (unless a 1337 hacker) won't. And obviously it will output as html, otherwise it wouldn't be used on html-pages.. Regardless....

...the cookie sets an expiration date such that the cache is erased after the set time. (not the entire cache, but anything the page contains). Of course you can always save it to your harddrive, but the typical user would simply be perplexed that he cannot view the page offline.

erisco · 09-02-2006, 01:39 PM

Well if it is obvious that it outputs as html, I don't see what the key ultimately achieves. Any person who could do something with your content will be able to get your encryption... as I said, the key is right there.

You can't set cookies to erase cache... and cookies are saved to your harddrive. I don't understand where you are coming from.

Juparis · 09-02-2006, 02:19 PM

(This is based off of what little I know/understand about encryption keys--what I was told, and what I assume is true. Sorry if my sources are incorrect)
The key is for the computer to use to translate the source, which (in a normal text editor) cannot be read. I assumed that the output is what's ultimately displayed in the window, not what you find with the View>Source option. Anyway, the common man will not know how to handle/read a key, let alone how to use it to translate the source.

As per cookies, I already stated that it was from my past experience that I assumed cookies have the capabilities to erase caches (not they themselves, but instruct the computer to do so once the page is expired). If it's not cookies, then what is it?
...and I'm coming from Wisconsin, by the way. How bout you?

erisco · 09-02-2006, 02:34 PM

A javascript ecryption would be simply running source through certain filters, whether you reverse the code, then convert to ASCII and then convert to Hex, it doesn't make a difference. You have to write an algorithm to reverse that process, and that algo is available to anyone who can read the source. Also upon viewing the page, all the text is available, and all the images are as well. What left is there to hide?

If you are trying to protect sensitive information, only protecting it from the 'normal man' is not going to cut it. Are you going to waste your time on a bogus security method when it can be breached by anyone who can read javascript? What does the encryption ultimately achieve other than requiring javascript to view the page, and making things harder to update for the webmaster?

I don't think it is cookies that remove cache, it would be a 301 header or something of the sort. Even then it depends on how the browser is configured, it may not bother to delete cache based on headers. I wouldn't be surprised if that was the case. And cache means nothing when a site is offline, since the pages are literally downloaded from the server onto the users computer. That is not internet cache, and you cannot tell the computer to delete those files. Browsing cache offline, and downloading a site for offline use are two completely different matters.

I don't understand why anyone is bound and determined that these feats are possible. They simply aren't. They are pointless to use, and pointless to rely on. It is set in stone... there is no way to prevent it. It was not how the internet was designed, and it is not how browsers are designed, you cannot hide anything. If the user can see the content, they can get it. Simple as that.

Juparis · 09-02-2006, 02:59 PM

Ooh, am I striking an odd nerve, erisco? Don't get too fired up, I was hoping for an open-minded discussion. I guess those hopes were in vain... Ah well, I'll leave you with one final note:

According to your logic, half the world's products shouldn't be produced simply because a fraction of the population will always be able to break it. Why manufacture a safe if the world's top thief can crack it in 5 minutes flat? I think the general answer would be, "Do you honestly believe that the >1% of thieves will come to your random house, and go after your one safe they know they can breach?"

I mean, c'mon. You were the one to start pushing practicality reasoning, yet you won't even consider realistic situations yourself? I'll take you seriously once you take me seriously..

If 99.9% of my viewers are lay men, I'm going to protect myself from the common man, not the world's top cracker (commonly called hacker; I'm not trying to be racist). Are you seriously suggesting I take a nuke to an ant hill, just because there's a slight chance that a few will survive the normal bug spray? Oh, but I guess it's your arguement that ants can't be killed, so why bother try? No matter what I use on their little kingdom hill, there will always be a few left behind, so I should just give up my attack right now. Is that what you're saying? Because that's what I'm infering. You might as well tell the lone protestor at Tiananmen to give up because the CCP will never listen to its people. It's the same message you're sending here, and I don't personally appreciate that type of b****ry.

If it was my ignorance that angered you, I'm sorry--I did forewarn, however, that I'm not exactly keen on these subjects. I'll continue to protect what I deem necessary--if you want to steal my photos simply to prove me wrong, go right ahead. I doubt you'll find much use of them anyway.

erisco · 09-02-2006, 03:46 PM

My point is javascript protection is a waste of time when there are BETTER methods, and those methods have already been discussed here. I never said the best hacker is going to be coming to your site to do damage, but at the same time there are many people who can read javascript, and they will pose a threat to that security.

Also, all the text and images are in plain view, so ultimately what does it protect? The html tags?

You can easily have a very secure site by keeping things server side, if there is sensitive information in your source code you are doing something wrong. There is absolutely no reason for it.

I am generally not following what you are saying... I think you are not understanding what I am trying to tell.

scoutt · 09-02-2006, 03:51 PM

hehe, you guys. encryption will never stop you from seeing the source. once the page is in your cache or you save it to your hard drive it is all mute. cookies will never stop you from viewing the page. the source is free for the taken, nothing can stop it. no session, no cookie, and no javascript and no encryption. especially javascript encryption, easily bypassed.

so juparis, to answer your question, no, encryption will not help.

Quote:

Originally Posted by juparis

What if you set a cookie? Ok, first you have to set one of those annoying pages that say "You have disabled cookies. Please allow them to view the following page." Then, with that cookie, you could set an expiration date on the webpage, so that if the user tries to open the page offline (even if it were just one second after viewing it online), it comes up as another annoying page saying "You must be online to view this page" or "Server not found" or whatever the heck it is.

no, this is saying that when you saved the page the urls is intact so when it refreshes the page looks at the url. but when you save a page the url is taken out, unless it is hard coded. but once you have it on your pc just edit the page and take the url out. see, nonce you hav eit on your pc, there is nothign the site can do from stopping you from viewing it. good thought though

ucm · 09-22-2006, 12:14 AM

and these are "some" of the reasons why most people and companies now-a-days make their web servers deal with as much of the page content and client-sever data/interactivity as engineeringly possible...

that's why you get slow server responce times on popular sites. and they wind up having to implement some form of server regulation to increase speed. ie: clustering or dns peer transfering across various servers loaded with identical content

why can't everyone in cyberspace just get along and play nice, lol

themanwhowas · 11-06-2006, 05:09 AM

sorry guys. i have to add my bit. to view a web page, your browser DOWNLOADS and STORES all html files, pictures, css files etc onto your pc, the browser then puts it all together acording to how the html instructs it. your temporary internet files will contain all of the html and pictures, the html file can be opened in notepad to be viewed and altered, the pictures can be copied and pasted onto a million other websites etc.. if anybodies really that desperate to not let anyone see the source code they have designed, then they shouldn't put it on the internet. may i suggest a bank vault

Vege · 11-06-2006, 05:37 AM

good topics never die

I was thinking the other day that there are programs that are transferred to client when they come into webpage, for example something like what windows update is doing or seagate netchecks or something that works with your local filesystem.

Could this kind of program that intervenes with local computer files be written to crypter the data coming in and out from the server?

ucm · 11-07-2006, 10:23 PM

heres a question (stop me if i missed it earlier in the thread but someone at work mentioned this to me last week) but one way that "might" (theoretically) work would be to use flash to store 100% of your page and pics inside of. there wouldnt be a source to view and the only way you could save images would be to take a screenshot.

of course this is a$$umming that the browser doesnt store the flash file offline in such a way that a visitor could open it in some flash decryption app or editor...

whats your all's take on this?

i dont knw flash or how it works (yet) but i believe it would store a flash file with source, images, and all offline in the browser's cache. sound right to you guys and gals?

Vege · 11-08-2006, 03:55 AM

The only problem has allways been the screenshot, nothing can be done against it.