Javascript库:混淆或不混淆 - 这就是问题所在 [英] Javascript library: to obfuscate or not to obfuscate - that is the question
问题描述
我需要编写一个与GUI相关的JavaScript库。它会给我的网站带来一些优势(就我能提供的功能而言) - 直到我的竞争对手玩它足够长的时间来弄清楚如何自己编写它(或者最终破解下载的脚本)。我可以接受这样一个事实:它会随着时间的推移而被模仿 - 这对于课程(它的业务部分)而言是相同的。我只想在几个月的时间里呼吸人们去的地方哇 - 他们这样做了怎么样? - 这给了我几个月的免费宣传和一些推动其他事情的动力。
I need to write a GUI related javascript library. It will give my website a bit of an edge (in terms of functionality I can offer) - up until my competitors play with it long enough to figure out how to write it by themselves (or finally hack the downloaded script). I can accept the fact that it will be emulated over time - thats par for the course (its part of business). I just want to have a few months breathing space where people go "Wow - how the f*** did they do that?" - which gives me a few months of free publicity and some momentum to move onto other things.
要说清楚,我甚至不关心那些仍然会留下来的核心黑客破解消息来源 - 这是一场不值得战斗的失败战斗(无论如何我接受我的代码并非如此珍贵)。然而,我无法忍受的是,通过使用任何人都可以下载和使用的普通JavaScript,有效地简单地将所有可能进入图书馆的辛勤工作交给我的竞争对手。如果有人打算使用我的工作,那么我肯定不想简单地把它交给他们 - 我希望他们努力解码它。如果他们可以解码它,他们应该得到代码(他们最有可能发现他们自己可以编写更好的代码 - 他们只是没有商业意义将所有[普通的香草]组件放入特定订单) - 所以,我并没有声称没有人可以写这个(这在任何情况下都是荒谬的说法) - 而是,我所说的是没有人(到目前为止)已经提出了我正在讨论的功能,可供这个特定行业使用 - 而且我(认为是企业家而不是极客/编码员 ),想要为它的所有价值而榨取它,而它持续下去,直到它(不可避免地)被黑客攻击。
To be clear, I am not even concerned about hard core hackers who will still hack the source - thats a losing battle not worth fighting (and in any case I accept that my code is not "so precious"). However, what I cannot bear, is the idea of effectively, simply handing over all the hard work that would have gone into the library to my competitors, by using plain javascript that anyone can download and use. If someone is going to use what I have worked on, then I sure as hell don't want to simply hand it over to them - I want them to work hard at decoding it. If they can decode it, they deserve to have the code (they'll most likely find out they could have written better code themselves - they just didn't have the business sense to put all the [plain vanilla] components in that particular order) - So, I'm not claiming that no one could have written this (which would be a preposterous claim in any case) - but rather, what I am saying is that no one (up to now) has made the functionality I am talking about, available to this particular industry - and I (thinking as an entrepreneur rather than a geek/coder), want to milk it for all its worth, while it lasts i.e until it (inevitably) gets hacked.
这是一个确定的事实,不是一个行业的网站我攻击有这个功能,所以这个库的价值是不可否认的,不值得讨论(也就是说这不是我在这里要求的)。
It is an established fact that not one website in the industry I am "attacking" has this functionality, so the value of such a library is undeniable and is not up for discussion (i.e. thats not what I'm asking here).
我想要找到的是什么混淆javascript库的优点和缺点,以便我可以做出最终决定。
What I am seeking to find out are the pros and cons of obfuscating a javascript library, so that I can come to a final decision.
我最关心的两个问题是调试,以及混淆器可能引入的细微错误。
Two of my biggest concerns are debugging, and subtle errors that may be introduced by the obfuscator.
我想知道:
-
我该如何管理那些风险(能够调试错误代码,确保/最大限度地减少混淆错误)
How can I manage those risks (being able to debug faulty code, ensuring/minimizing against obfuscation errors)
你能推荐哪些优质的行业标准混淆器(最好是你的东西)使用自己)。
Are there any good quality industry standard obfuscators you can recommend (preferably something you use yourself).
您在生产环境中使用混淆代码的经验是什么?
What are your experiences of using obfuscated code in a production environment?
推荐答案
如果他们可以解码它们,他们应该得到代码(他们很可能会发现他们可能自己编写了更好的代码 - 他们只是没有商业意义将所有[普通香草]组件放在特定的顺序中。)
If they can decode it, they deserve to have the code (they'll most likely find out they could have written better code themselves - they just didn't have the business sense to put all the [plain vanilla] components in that particular order).
所以,你真的试图通过技术措施来解决业务问题。
So really, you're trying to solve a business issue with technical measures.
任何值得他作为Javascript程序员的人应该能够重新创建你的任何东西j很容易做到我看着产品本身,无需代码。这并不像你正在发明一些前所未见的新魔法,你只是以一种新的方式将各个部分组合在一起,就像你承认自己一样。这只是Javascript。
Anybody worth his salt as a Javascript programmer should be able to recreate whatever you do pretty easily by just looking at the product itself, no code needed. It's not like you're inventing some new magical thing never seen before, you're just putting pieces together in a new way, as you admit yourself. It's just Javascript.
即使您对脚本进行模糊处理,它仍然会按原样运行,竞争对手可以随身携带并运行它。即使使用混淆的代码,一些自定义也不应该太难。
Even if you obfuscate the script, it'll still run as-is, competitors could just take it and run with it. A few customizations shouldn't be too hard even with obfuscated code.
在您的利基业务中,如果有人偷走您的脚本,您可能会很快注意到。如果发生这种情况,这是一个法律问题。如果你的竞争对手想要合法清楚,他们将不得不从头开始重写脚本,这会自动给你买一些时间。
In your niche business, you'll probably notice pretty quickly if somebody "stole" your script. If that happens, it's a legal issue. If your competitors want to be in the clear legally, they'll have to rewrite the script from scratch anyway, which will automatically buy you some time.
如果你的竞争对手是在没有彻底窃取代码的情况下,技术上无法复制您的产品,代码是否清晰或混淆不会产生影响。
If your competitors are not technically able to copy your product without outright stealing the code, it won't make a difference whether the code is in the clear or obfuscated.
这篇关于Javascript库:混淆或不混淆 - 这就是问题所在的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
