混淆是最好的答案
混淆是保护我们的代码的最佳答案吗?
*特别是在 Web 项目中,当您想要将 Web 项目作为代码库交付给客户(订购者)时*
已编辑
首先我的首要任务是服务器端代码 第二个客户端 但主要目标是当您想要交付完整的网络项目时 并且您将每段代码都制作为组件和 dll,现在您如何有效地保护它们并且不允许其他人从它们那里恢复您的代码。
已编辑
问题是我想保护我写给他们订购的公司的代码,现在我所有的代码都在一些 DLL 中, 现在他们可以对其进行逆向工程并获取我的代码,我想阻止他们这样做, 到底有没有办法这样做?
我认为这是一个独特的问题,我没有询问什么是混淆,也没有询问执行此活动的工具,除此之外,我认为这与客户端服务器安全性不同
抱歉,如果我的问题一开始不清楚,但如果这确实是一个需要删除的案例,对我来说没问题
还
我也想比较一下这个问题和解决方案, 因为我认为混淆并不是唯一可能的解决方案,我认为我们可以针对这个问题找到一些合乎逻辑的解决方法
Possible Duplicates:
How effective is obfuscation?
Protect ASP.NET Source code
(Why) should I use obfuscation?
Is obfuscation the best answer for protecting our code ?
*Specially in Web Projects when you want to deliver your web projects as libraries of code to your customer ( the person who ordered ) *
Edited
At first my priority is Server-Side Code
and second Client-Side
but the main goal is when you want to deliver a complete web project
and you made every piece of your code as components and dlls now how effective can you protect them and doesn't allow others to make your code back from them .
Edited
The problem is that I want to protect the code that I'm written to a company that they ordered , now all my code are inside some DLLs ,
Now they can reverse engineer that and get my code , I want to prevent them from doing so ,
Is there anyway to do so or not ?
I think that is a unique question , And I didn't ask for what obfuscation is nor for tools of doing this activity , further than that I think this is apart from Client-Server Security
Sorry if my question wasn't clear at first , but if that is really a case to be deleted , no problem for me
Also
Also I wanted to have a comparison look at this problem and the solutions ,
because I think obfuscation wasn't the only possible solution at this , I think we can have maybe some logical sort of workarounds about this problem
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
Web 项目中的正常服务器端代码在任何情况下都不应该对外界可见。 所以混淆代码是没有意义的。
除了这两点之外:
Javascript 代码对用户是可见的并且可以被混淆。 无论如何,建议尽量减少 JavaScript 以节省带宽。 最小化 js 也会混淆代码。
同样重要的是,在生产系统上,配置设置customErrors应设置为 RemoteOnly 或 On 以避免显示包含过多代码详细信息的堆栈跟踪。
The normal server-side code in Web projects should under no circumstances be visible to the outside world. So there is no point in obfuscating the code.
Besides that two minior points:
Javascript code is visible to the user and can be obfuscated. Minimizing javascript to save bandwidth is recommended anyway. Minimizing js also obfuscates the code.
Also important is that on production system the configuration setting customErrors should be set to RemoteOnly or On to avoid showing a stacktrace with to much code details.
如果您的客户端代码对其他人具有广泛的价值,那么无论是否进行任何混淆,它都将被逆向工程。
现实情况是,它可能不会对许多人广泛有用,而且还有很多其他代码可供查看,因此除了缩小代码之外可能不值得做更多的事情,因为这会造成大量混淆,如果您的代码很大,那么可能不值得做更多的事情。将提高下载速度。
您考虑过替代方案吗? 回馈社会是一件好事吗? 我确信您已经看过不止一个网站的代码,不是吗?
If your client side code has any broad value to others, it will get reverse engineered regardless of any obfuscation.
The reality is that it's likely not going to be broadly useful to many and there is a lot of other code out there to look at so probably not worth doing more than minifying the code which is plenty of obfuscation and if your code is large, it will improve download speed.
Have you considered the alternative? That it's a good thing to give somethings back to the community? I'm sure you've looked at the code of more than one site, no?
也许不是最好的。 如果你真的有雄心,你可以编写自己的网络服务器(插件)。
但这值得付出努力吗?
软件类似于荷兰的自行车,没有已知的保护方法是 100% 安全的。 您可以使用比其他自行车更好的保护(小偷很懒)。 或者你必须混淆自行车,这样他们就不会拿走它。
提高保护级别的另一种方法是使用定制的 ActiveX 代码来存储关键任务算法。 当然,它们可以进行逆向工程,但 JavaScript 更容易。
Maybe not the best. If you are really ambitious, you can write your own web server (plugin).
But is it worth the effort?
Software is similar to a bike in the Netherlands, there is no known way of protection that is 100% safe. You use either a better protection than the other bikes (thieves are lazy). Or you must obfuscate the bike so they won't take it.
Another way to increase the level of protection is to use custom made ActiveX code to store mission critical algorithms. Of course, they can be reverse engineered, but javascript is easier.
您到底想保护您的代码免受什么侵害?
您的客户端代码是否包含有价值的业务逻辑?
如果没有:您不应该费心去混淆那些没有太多价值的东西。 我个人认为客户端代码盗窃是人们过于担心的事情。 99% 的网络应用程序在客户端实现方面并没有什么特别之处。 你更需要担心的是有人抄袭你的想法或视觉外观,这显然是你无法混淆的。
如果确实如此:您需要考虑在客户端重构该逻辑,因为即使有严重的混淆,坚定的一方也总是能够相对轻松地理清它。 理想情况下,为您的应用添加真正价值的代码应该在您的服务器上运行,因为访问起来要困难得多。
即使人们窃取您的 html 标记或 javascript 是值得担心的事情(而且可能不是),混淆并不能真正解决问题。 在我看来,这是浪费精力和金钱。
What exactly are you trying to protect your code from?
Does your client-side code contain valuable business logic?
If not: you shouldn't bother obfuscating something that doesn't have much value. Personally I think clientside code theft is a something that people are far too concerned about. 99% of web apps don't really have anything special in terms of implementation on the client side. What you need to worry about more is someone ripping off the idea or visual look, which you obviously can't obfuscate.
If it does: you need to consider refactoring that logic out of the client side, as even with heavy obfuscation, a determined party will always be able to untangle it relatively easily. The code that adds real value to your app should ideally be running on your servers where it's considerably more difficult to get access to.
Even if people stealing your html markup or javascript was a something to worry about (and it probably isn't), obfuscation doesn't really solve the problem. In my opinion it is a waste of effort and money.
将关键功能托管为 Web 服务可能是保护它的最可靠方法。 它将代码完全置于用户手中。 但随后您就陷入了托管服务的困境,并且您的用户必须在线才能使用您的功能。
混淆器通过隐藏有用的名称并用奇怪但逻辑上等效的替代方案替换控制流来提供帮助。 它们可能会阻碍业余爱好者,但它们只会让熟练的逆向工程师放慢几分钟,而且不会阻止那些决心刺探你的秘密的人。
Hosting a critical function as a web service is probably the most sure way to protect it. It keeps the code out of the user's hands entirely. But then you're stuck hosting a service, and your users have to be on line to use your functionality.
Obfuscators help by hiding useful names and replacing control flow with weird but logically equivalent alternatives. They might thwart an amateur, but they'll only slow down a skilled reverse engineer for a few minutes, and they won't stop someone who is determined to penetrate your secrets.
如果您确实想保护您的代码,则应该使用本机代码编译器(C++、Delphi)编写本机代码。 这仍然不能保证您的代码 100% 安全,因为任何有经验的开发人员都可以阅读汇编程序并从本质上反汇编本机代码程序。
坚定的黑客总会找到一种方法来获得他们想要的东西。
我们能做的最好的事情就是让潜在的黑客获取我们的代码变得困难或痛苦,以下选项可以帮助我们:
我真的很喜欢 .NET 框架的一位首席开发人员发表的评论,他说他不认为这真的是其他人可以理解的事实我们应该关心我们的代码,但我们应该关心我们为产品提供的支持水平。
因此,如果我们提供良好的支持基础,黑客对我们的代码做什么并不重要,因为客户会信任我们以及我们使用我们的产品而不是一些廉价的黑客攻击程序来支持他们的能力。
I you really want to protect your code, you should write native code using a native code compiler (C++, Delphi). This still does not guarantee that your code is 100% safe because any experience developer can read assembler and essentially disassemble the native code program.
A determined hacker will always find a way to get to what they want.
The best we can do is to make it hard or painful for the would-be hacker to get at our code and the following options can help us:
I really like a comment made by one of the head developers of the .NET framework where he said that he does not feel it's really the fact that others can get at our code that should be a concern to us, but rather, we should concern ourselves with the level of support we provide with our products.
So if we provide a good support base, it does not matter what the hackers do with our code, because the clients will trust us and our ability to support them using our product and not some cheap hacker-hacked program.
不,混淆不是保护代码的最佳方法。
您需要使用的工具是“版权”。
没有(技术)方法可以保护您的代码免受足够坚定的人的攻击(前提是他们有权访问二进制文件/脚本)。
您可以做的就是阻止他们合法地修改/分发您的代码。
NO, obfuscation is not the best way to protect your code.
The tool you need to use is "copyright".
There is no (technological) way you can protect you code from someone determined enough (provided they have access to the binaries / scripts).
What you can do is prevent them from legally modifying/distributing your code.