使用混淆器足以保护我的 JavaScript 代码吗?
我正在致力于构建一个用 JavaScript 编写的开发工具。
这不会是一个开源项目,并将(希望)作为商业产品出售。
我正在寻找保护我的投资的最佳方法。 使用混淆器(代码管理器)足以合理地保护代码吗?
还有其他我不知道的替代方案吗?
(我不确定“混淆器”这个词是否正确,它是获取您的代码并使其非常不可读的应用程序之一。)
I'm working on building a development tool that is written in JavaScript.
This will not be an open source project and will be sold (hopefully) as a commercial product.
I'm looking for the best way to protect my investment. Is using an obfuscator (code mangler) enough to reasonably secure the code?
Are there other alternatives that I am not aware of?
(I'm not sure if obfuscator is the right word, it's one of the apps that takes your code and makes it very unreadable.)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
我非常不同意上面的大多数答案。
确实,尽管经过混淆,每个软件都可能被盗,但至少,它使得提取和重用软件的各个部分变得更加困难,这就是重点。
也许使用混淆比让代码开放并在有人窃取我们软件的最佳部分并进行危险的并发后在法庭上打架更便宜且风险更小。
未混淆的代码低语:
混淆的代码说:
I deeply disagree with most answers above.
It's true that every software can be stolen despite of obfuscation but, at least, it makes harder to extract and reuse individual parts of the software and that is the point.
Maybe it's cheaper and less risky to use an obfuscation than leaving the code open and fighting at court after somebody stole the best parts of our software and made dangerous concurrency.
Unobfuscated code whispers:
Obfuscated code says:
我要告诉你一个秘密。 一旦理解了它,您就会更好地认识到 Javascript 混淆仅对通过网络发送脚本时节省带宽真正有用。
你的源代码不值得窃取。
我知道这对自我来说是一个震惊,但我可以自信地说出这一点,而无需看到您编写的一行代码,因为除了极少数发生严重魔法的开发领域之外,所有源代码都是如此。
假设明天有人在您家门口扔了一堆 DVD,其中包含 Windows Vista 的源代码。 你能用它做什么? 当然,您可以编译它并赠送副本,但这只是比复制零售版本多了一步。 您可以煞费苦心地找到并删除许可证检查代码,但这是一些聪明的孩子已经对二进制文件所做的事情。 替换徽标和图形,假装是您自己编写的并将其营销为“Vicrosoft Mista”? 你会被抓住的。
您可能会花费大量时间阅读代码,试图理解它并真正“窃取微软在开发该产品时投资的知识产权”。 但你会失望的。 你会发现代码是一长串平凡的决定,一个接一个地做出。 有些人比你想象的更聪明。 有些会让你摇头,想知道他们在那里雇用什么样的猴子。 大多数只会让你耸耸肩并说“是的,你就是这么做的。”
在此过程中,您将学到很多有关编写操作系统的知识,但这不会损害微软。
将“Vista”替换为“Leopard”,上面的段落一点也不改变。 这不是微软,而是软件。 无论是否查看该网站的源代码,该网站上的一半人都可能开发出 Stack Overflow 克隆版。 他们只是没有。 Firefox 和 WebKit 的源代码可供任何人阅读。 现在从头开始编写您自己的浏览器。 几年后见。
软件开发是一项时间投资。 想象你正在做的事情如此特别,以至于没有人可以在不查看你的源代码的情况下克隆它,甚至如果没有可操作的(并且容易检测到的)剪切和粘贴量,这将使他们的工作变得更加容易,这是完全傲慢的。
I'm going to tell you a secret. Once you understand it, you'll feel a lot better about the fact that Javascript obfuscation is only really useful for saving bandwidth when sending scripts over the wire.
Your source-code is not worth stealing.
I know this comes as a shock to the ego, but I can say this confidently without ever having seen a line of code you've written because outside the very few realms of development where serious magic happens, it's true of all source-code.
Say, tomorrow, someone dumped a pile of DVDs on your doorstep containing the source code for Windows Vista. What would you be able to do with it? Sure, you could compile it and give away copies, but that's just one step more effort than copying the retail version. You could painstakingly find and remove the license-checking code, but that's something some bright kid has already done to the binaries. Replace the logo and graphics, pretend you wrote it yourself and market it as "Vicrosoft Mista"? You'll get caught.
You could spend an enormous amount of time reading the code, trying to understand it and truly "stealing the intellectual property" that Microsoft invested in developing the product. But you'd be disappointed. You'd find the code was a long series of mundane decisions, made one after the other. Some would be smarter than you could think of. Some would leave you shaking your head wondering what kind of monkeys they're hiring over there. Most would just make you shrug and say "yeah, that's how you do that."
In the process you'll learn a lot about writing operating systems, but that's not going to hurt Microsoft.
Replace "Vista" with "Leopard" and the above paragraphs don't change one bit. It's not Microsoft, it's software. Half the people on this site could probably develop a Stack Overflow clone, with or without looking at the source of this site. They just haven't. The source-code of Firefox and WebKit are out there for anyone to read. Now go write your own browser from scratch. See you in a few years.
Software development is an investment of time. It's utter hubris to imagine that what you're doing is so special that nobody could clone it without looking at your source, or even that it would make their job that much easier without an actionable (and easily detectable) amount of cut and paste.
如果你试图混淆你的代码,希望别人不会窃取它,那么你将面临一场失败的战斗。 您可能会阻止临时浏览器获取它,但是专门的人几乎肯定能够克服您使用的任何措施。
过去,我见过人们做一些事情:
还有许多其他方法。
最终,您的努力只会阻止普通浏览器看到您的内容。 如果有人专心致志地出现,那么你就无能为力了。 你将不得不忍受这一点。
我的建议是制作一款真正出色的产品,吸引最多的人,并通过拥有最好的产品/服务/社区而不是最混乱的代码来击败任何竞争对手。
You are going to be fighting a losing battle if you try to obfuscate your code in the hopes of someone not stealing it. You may stop the casual browser from getting at it, but someone dedicated would almost certainly be able to overcome any measure you use.
In the past I have seen people do several things:
There are many other methods.
In the end, your efforts are only likely to stop the casual browser from seeing your stuff. If someone dedicated comes along then there is not much you will be able to do. You will have to live with this.
My advice would be to make a really awesome product that attracts the most people and beat off any competition by having the best product/service/community and not the most obfuscated code.
您总是面临这样一个事实:任何访问您网页的用户都会下载您的 Javascript 源代码的某些工作版本。 他们将拥有源代码。 对其进行模糊处理可能会导致想要窃取您的辛苦成果的人很难重用它。 然而,在许多情况下,有人甚至可以重复使用混淆的源! 或者在最坏的情况下,他们可以用手解开它并最终理解它。
Google 地图 就是与您类似的情况的一个示例。 Javascript 源代码显然是混淆的。 然而,对于真正私有/敏感的逻辑,它们将数据推送到服务器,并让服务器使用 XMLHttpRequests (AJAX) 处理该信息。 通过这种设计,您可以更严格地控制服务器端的重要部分。
You're always faced with the fact that any user that comes to your webpage will download some working version of your Javascript source. They will have the source code. Obfuscating it may make it very difficult to be reused by someone with the intent to steal your hard work. However, in many cases someone can even reuse the obfuscated source! Or in the worst case they can unravel it by hand and eventually comprehend it.
An example of a situation like yours might be Google Maps. The Javascript source is clearly obfuscated. However, for really private/sensitive logic they push the data to the server and have the server process that information using XMLHttpRequests (AJAX). With this design you have the important parts on the server side, much more tightly controlled.
这可能是你能做的最好的事情了。 请注意,任何有足够奉献精神的人都可能可以消除您的程序的混淆。 在开始您的项目之前,请确保您对此感到满意。 我认为最大的问题是控制谁在他们的网站上使用它。 如果有人访问一个包含您的代码的网站,并且喜欢它的功能,那么他们不理解代码的作用或无法阅读代码并不重要,因为他们可以复制代码,并且在他们自己的网站上使用它。
That's probably about the best you can do. Just be aware that anybody with enough dedication, can probably de-obfuscate your program. Just make sure you're comfortable with that before embarking on your project. I think the biggest problem with this would be to control who's using it on their site. If somebody goes to a site with your code on it, and likes what it does, it doesn't matter that they don't understand what the code does, or can't read it, when they can just copy the code, and use it on their own site.
如果有人想弄清楚代码,混淆器根本不会帮助你。 该代码仍然存在于客户端计算机上,他们可以获取它的副本并在闲暇时研究它。
根本没有办法隐藏用 Javascript 编写的代码,因为源代码必须交给浏览器来执行。
如果您想隐藏您的代码,您有以下选择:
1) 使用编译代码(而非源代码)下载到客户端的环境,例如 Flash 或 Silverlight。 我什至不确定这是否万无一失,但它肯定比 Javascript 好得多。
2) 在服务器端有一个完成工作的后端和一个仅向服务器发出请求的瘦客户端。
A obfuscator won't help you at all if someone wants to figure out the code. The code still exists on the client machine and they can grab a copy of it and study it at their leisure.
There is simply no way to hide code written in Javascript since the source code has to be handed to the browser for execution.
If you want to hide your code, you have the following options:
1) Use an environment where compiled code (not source) is downloaded to the client, e.g. Flash or Silverlight. I'm not even sure that's foolproof, but it's certainly much better than Javascript.
2) Have a back end on the server side that does the work and a thin client that just makes requests to the server.
如果这是针对一个网站,而该网站本质上只需单击一下菜单即可查看其代码,那么真的有任何理由隐藏任何内容吗? 如果有人想窃取您的代码,他们很可能会付出努力,使最混乱的代码变得可读。 看看商业网站,他们不会混淆代码,也没有人出去窃取谷歌应用程序的代码。 如果您真的担心代码被盗,我会主张用其他编译语言编写它。 (这当然会破坏整个 webapp 的东西......)即使如此,你也不是完全安全的,那里有很多反编译器。
所以说真的,面对一个有足够动力的人,你是没有办法做你想做的事的。
If this is for a website, which by its very nature puts viewing of its code one menu click away, is there really any reason to hide anything? If someone wants to steal your code they will most likely go through the effort of making even the most mangled code human readable. Look at commercial websites, they don't obfuscate their code, and no one goes out and steals code from the google apps. If you are really worried about code theft, I would argue for writing it in some other compiled language. (which does of course destroy the whole webapp thing...) Even then, you aren't totally safe, there are many de-compilers out there.
So really, there is no way to do what you want in the face of anyone with sufficient motivation.
代码混淆器对于需要最少保护的东西来说已经足够了,但我认为它绝对不足以真正保护你。 如果你有耐心,你真的可以解决整个问题......而且我确信有程序可以为你做到这一点。
话虽如此,您无法阻止任何人盗版您的东西,因为无论如何他们最终都会破坏您创建的任何类型的保护。 在代码未编译的脚本语言中尤其容易。
如果您使用其他语言,可能是 java 或 .NET,您可以尝试执行“打电话回家”等操作来验证许可证号是否与给定的 url 匹配。 如果您的应用程序是某种始终在线连接的在线应用程序,那么这很有效。 但如果能够访问源代码,人们就可以轻松绕过该部分。
简而言之,对于您正在做的事情来说,javascript 是一个糟糕的选择。
您正在做的事情的一个进步可能是使用网络服务后端来获取您的数据。 让 Web 服务处理身份验证/验证过程。 需要做一些工作才能确保它防弹,但它可能有效
code obfuscator is enough for something that needs minimal protection, but I think it will definitely not enough to really protect you. if you are patient you can realy de-mangle the whole thing.. and i'm sure there are programs to do it for you.
That being said, you can't stop anyone from pirating your stuff because they'll eventually will break any kind of protection you create anyway. and it is espcially easy in scripted language where the code is not compiled.
If you are using some other language, maybe java or .NET, You can try doing things like "calling home" to verify that a license number matches a given url. Which works if you your app is some sort of online app that is going to be connected online all the time. But having access to the source, people can easily bypass that part.
In short, javascript is a poor choice for what you are doing.
A step up from what you are doing is maybe using a webservice backend to get your data. Let the webservice handle the authentication/verification process. Requires a bit of work to make sure it is bulletproof, but it might work
我想说是的,如果您还确保使用 Dean 之类的工具压缩代码就足够了Edward's Packer 或类似的。 如果您考虑使用 .NET Reflector 等工具对 .NET 中的逆向工程编译代码/IL 进行哪些操作,您就会意识到您无法采取任何措施来完全保护您的投资。
另一方面,请记住,发布源代码的人似乎也做得很好——人们想要的不仅仅是他们的知识产权,而是他们的经验。
I'd say yes, it's enough if you also make sure than you compress the code as well using a tool like Dean Edward's Packer or similar. If you think about what is possible with tools like .NET Reflector in terms of reverse engineering compiled code / IL in .NET, you realize that there's nothing you can do to completely protect your investment.
On the other hand, remember that folks who release their source code also seem to make do quite nicely anyway - it's their experience that people want more than their intellectual property.