除了混淆之外,还有其他方法可以让在 javascript 中获取任何字符串变得更加困难吗?
我使用 DropBox,但从其他计算机访问我的文件时遇到一些问题: 当我使用公共计算机时,我并不总是想登录任何东西,但我喜欢能够从任何地方访问我的东西。
因此,我制作了一个简单的应用程序,当放入公用文件夹中时,运行并给出正确的 UID,创建(仍在公用文件夹中)文件夹(包括子文件夹)中所有内容的 HTML 作为链接树。
但我没有冒险将它加载到任何地方,因为那里有一些私人的东西(是的,我知道该文件夹的名称是“PUBLIC”)。
所以我想出了一个想法,让它成为一个简单的登录页面,只要输入正确的密码,页面的其余部分就应该加载。太棒了!但是如何呢?
如果我通过重定向到同一文件夹上的其他 HTML 来做到这一点,我仍然会将 html 链接放入网络历史记录和管理员的“url 访问”历史记录中。所以我应该在同一页面中生成它。
我已经做到了:
替代文本 http://dl.dropbox.com/u/ 3045472/validate.png
目前,该页面是一个文本框和一个按钮,只有当您输入正确的密码(在生成器中定义)时,页面的其余部分(与链接树)加载。问题在于,所有内容(密码、URL)都可以通过源代码轻松访问。
现在,假设我只想避免愚蠢的人太容易地获取这些信息,而不是制作一个防弹的所有内容包含 NSA 认证的网站,我考虑了一些方法来使这些信息更难获取得到。
正如您可能已经想到的,我使用 StreamWriter 编写一个 html 文件(头部、循环链接、底部),然后它是非常可配置的,我可以想出一个相当混乱但有效的 C# 代码,尽管我的 javascript知识没那么好。
DropBox 中的公共链接如下所示:
总结:如何隐藏 URL 和密码以在我的源代码中显示它们(当然主要是密码),这样就不需要在阅读上付出一些努力?
PS:这不是那么个人化,如果有人真的想要它,它永远不可能得到 100% 的保护,如果它那么重要,我也不会把它放在公共文件夹中,如果那家伙真的想要的话想要那么难,他应该得到它。
PS 2.:“使用 ultra-3000'tron 混淆器!!11”不是真正的答案,因为我的 javascript 是由我的 c# 程序生成的。
PS 3.:我不想要其他解决方案,例如“使用服务器端应用程序并将其托管在某个地方进行重定向和bla bla”或“压缩.RAR文件中的链接并在其中输入密码“因为我这样做也是为了学习,并且我想要其中的刺激=)
更新1: 到目前为止,唯一的答案给出了一种隐藏我的密码的完美方法(根据这个问题)。
现在我想要一个隐藏 URL 的好方法,可能是我给出的示例 URL 的代码片段,如果它太棘手,可能是如何在 C# 中生成它,或者其他什么?
更新2: 我考虑过制作三种“混淆方法”并在运行时随机选择它们。因此,任何弄清楚如何读取一个 XML 的人都只能读取其中的大约三分之一,而且可能很难找到这三分之一的其余部分。
更新 3:
想想 REGEX,URL 可能会被随机添加的虚拟非 url 允许字符整齐地挤满,这些字符会被以下内容删除:
regex.replace(url, ^[^\w\d/:-\.%]+$,"")
所以这个爱管闲事的家伙应该在编程方面有相当高的水平,嗯?谁能告诉我它是否有效?
I use DropBox and I've had some trouble reaching to my files from other computers:
I not always want to login to anything when I'm in a public computer, but I like being able to reach my stuff from wherever I am.
So I've made a simple application that when put in the public folder, ran and given the right UID, creates (still in your public folder) an HTML of all the content in the folder (including subfolders) as a tree of links.
But I didn't risk loading it anywhere, since there are slightly private things in there (yes, I know that the folder's name is "PUBLIC").
So I've came up with the idea to make it a simple login page, given the right password, the rest of the page should load. brilliant!, but how?
If I did this by redirecting to other HTML on the same folder, I'd still put the html link in the web history and the "url's accessed" history of the administrator. So I should generate itin the same page.
I've done it:
alt text http://dl.dropbox.com/u/3045472/validate.png
And currently the page is a textbox and a button, and only if you type in the right password (defined in the generator) the rest of the page (with the link-tree) loads. The fault is that everything (password, URL's) is easily reachable through the source code.
Now, assuming I only want to avoid silly people to get it all too easily, not make a bulletproof all-content-holding NSA certified website, I though about some ways to make these information a bit harder to get.
As you may have already figured, I use a streamwritter to write an html file (head, loop through links, bottom), then it's extremely configurable, and I can come up with a pretty messy-but-working c# code, though my javascript knowledge is not that good.
Public links in DropBox look like this:
Summarizing: How do I hide the URL's ande the password to show them (MAINLY the password, of course) in my source-code so that no that it should require some effort on reading ?
P.S.: It's not that personal, if someone REALLY wants it, it could never be 100% protected, and if it was that important, I wouldnt put it in the public folder, also, if the dude really wants to get it that hard, he should deserve it.
P.S. 2.: "Use the ultra-3000'tron obfuscator!!11" is not a real answer, since my javascript is GENERATED by my c# program.
P.S. 3.: I don't want other solutions as "use a serverside application and host it somewhere to redirect and bla bla" or "compress the links in a .RAR file and put a password in it" since I'm doing this ALSO to learn, and I want the thrill of it =)
Update 1:
The one answer so far gives a perfect way (according to this question) to hide my password.
Now I want a good way to hide the URL's, maby a code snippet of the example URL I gave being composed, and if it's too tricky, maby how to generate it in C#, or anything ?
Update 2:
I thought about maybe making three "obfuscating methods" and choosing them randomly in the runtime. So anyone who figures out how to read one XML, could only read about one third of them, and maybe having a hard time finding the other rest of this third..
Update 3:
Just thought about REGEX, the URL could be neatly crowded by dummy not-url-allowed characters added randomly that would be removed by something like:
regex.replace(url, ^[^\w\d/:-\.%]+$,"")
So the nosy dude should have to be pretty advanced into programming somehow, eh? could anyone tell me if it would work or not ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
好吧,看来您已经知道,这是一个相当糟糕的安全机制选择,但如果您坚持...
不要将实际的字符串存储在源代码中。例如,存储其 MD5 哈希。然后,当用户输入密码时,计算其 MD5 哈希值并将其与预期的进行比较。
查看:
Well, as it seems you already know, this is a rather poor choice of security mechanism, but if you insist...
Don't store the actual string in the source. Store, for example, its MD5 hash. Then, when the user types in a password, compute its MD5 hash and compare it with the expected one.
Check out:
为了详细说明 miorel 的想法,您还可以使用密码作为密钥来加密整个页面。基本上,将所有内容编码成一个大字符串,询问密码并解密该字符串。如果密码错误,它会显示大量垃圾,仅此而已。就像
你唯一需要的是 JavaScript 中的解密实现 - 但这很容易通过谷歌搜索,例如 此处或此处。
这也使得单独的“登录”页面变得毫无用处。
To elaborate on miorel's idea, you can also encrypt the whole page, using password as a key. Basically, encode all content into one big string, ask for the password and decrypt that string. If the password is wrong, it will show loads of rubbish, that is it. Like
The only thing you need is a decrypt implementation in javascript - but that's easy to google out, for example here or here.
This also renders the separate 'login' page useless.
诚然,这类似于询问如何在公共场合脱衣而不被人看见,但考虑到这一点,我假设您尝试存储的密码是 DropBox 的密码。我想你可以混淆密码并将其存储在 cookie 中。这至少会阻止某人简单地查看源代码以查看密码,但显然不会阻止某人运行 Fiddler 之类的东西并查看它。
编辑:要合并 URL,为什么不简单地动态构建 URL 并让链接调用 JavaScript 函数来获取 URL?您的服务器端代码将使用混淆的 url 填充此函数中的数组,并且调用代码将简单地将索引传递到该数组中。因此,在查看源代码时,除了静态不安全链接之外,在任何地方都不会出现“http”实例。
添加好的。现在我对这个问题有了更好的了解,设计解决方案就更容易了。有一些库可以在 javascript 中进行网络加密(例如 http://point-at-infinity. org/jsaes/),但问题归结于密钥管理。由于它是 javascript,因此它将是公开的,但您可以设计一些限制来增加确定密钥的难度。一般来说,这些技巧涉及间接。例如,存储由 C# 代码生成并存储在 HTM 文件中的长随机字符流(例如 40-50 或更多)。此外,C# 代码会在您的 javascript 函数中存储一个数组数值,这些数值表示指向 C# 代码用来加密密码(或整个 url)的长文本流的指针。
Granted, this is akin to asking how you can strip in public without people seeing you, but given that, I'm assuming that the password you are trying to store is the one to DropBox. I suppose you could obfuscate the password and store it in a cookie. That would at least prevent someone from simply viewing the source to see the password, but obviously wouldn't stop someone running something like Fiddler and seeing it.
EDIT: To munge the Urls, why don't you simply build the urls on the fly and have the links call a javascript function to get the url? Your server-side code would populate an array in this function with obfuscated urls and the calling code would simply pass an index into the array. Thus, on viewing the source, there would be no instances of "http" anywhere other than static unsecure links.
ADDITION Ok. now that I have a better bead on the problem, it is easier to devise solution. There are libraries for doing encryption on the net in javascript (e.g. http://point-at-infinity.org/jsaes/) but the problem comes down to key management. Since its javascript, it is going to be public but there are hoops you can devise to make it harder to determine the key. In general, those tricks involve indirection. For example, store a lengthy stream of random characters (e.g. 40-50 or more) that is generated by your C# code and stored in the HTM file. In addition, the C# code would would store into your javascript function an array numeric values that represent pointers into the long stream of text that were used by the C# code to encrypt the passwords (or just the whole url).