Patricia Hinman wrote: > > There are measures that can be taken to make it > > harder for someone to get the source, but there is > > no way to prevent it. There is also little reason > > to, that I can see, most things that are done with > > javascript are relatively simple anyways, and since > > it is an open language so someone could rewrite it > > themselves, granted you might be delaying them. On > > the other hand, you are asking questions on a board > > where the language is GPL'd so you are not likely to > > find to many sympathetic posters when it comes to > > closing your source (especially web source).... > > > > I don't want to hide the main source code. Only > encrypt the password on the client side. I could do > that with a js program.
Right. > Then my pl file could unwind > the script. Why? Do you need a decrypted version of the password? Really? > This is to keep people from viewing the > password in transit. It would be like the unix salt > system. I could put a key txt file in their protected > directory that my perl file would read to unwind the > js encrypted password. What I would suggest instead would be to do two-layer encryption. Use any dependable hashing formula on the client side, and further encrypt it on the server side before storage. As long as the same encyption formulae are used when the user logs in, identical login strings will render identical values. Doing this, you don't have to worry so much about the exposure of the encryption source in the HTML, becuase that only gets even the skilled cracker halfway. As to the client-side source--one method to hamper, if not prevent, easy hacking of your client-side js, is to use really bad space formatting. I found this by unwinding some packed javascript used for password hashing, so it is not totally secure by any means. First remove any spaces not absolutely necessary for compilation, then perhaps throw in some random and senseless spacing. Like carelessly written source, this makes the code almost unreadable without reformatting. You might also sue standard perl-style identifiers [ie cryptic, vowel-less abbreviations] since, whether desirable or not, this always adds a layer of incomperhesibility to code )( ;-o )> Joseph Joseph -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
