Re: Obfuscating a Servlet
- Original Message - From: Jeng Yu [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, October 24, 2008 12:28 PM Subject: Obfuscating a Servlet Hi All, I just wanted to know if I can first obfuscate my selvlet with ProGuard before I deploy it in Tomcat environment. Will doing this really protect my servlet and make it really difficult for someone to reverse engineer or decompile it, as people seem to say? Thank you. Hi Jeng, Yes it does, it can be reverse engineered and you can try it yourself, its still there but where something was StoreNames is now just a. If they determined enough they will reverse engineer it, but on a large project its not easy to understand at all. Put it this way, on large projects, I can reverse engineer it and make it run, but even though I wrote the code, I cant follow it anymore ;) I do it on very large projects but for a different reason, it optimizes the code, and makes it smaller, sometimes the size savings are very good, half the size, good. Its an art, you have to play... include all the TC libs, in the LIB section as well as the JRE, not the main section, this tells proguard not to mess with the interfaces. Run it and see what breaks, if it does it means you may have to keep additional functions, and you must test really really well. This is because proguard can guess wrong, because of things like late binding, introspection etc, proguard is damn good but there are somethings it just cant guess. So the answer is yes, it works, but its not just a util that you run without thinking... by the time you are done, you are really going to understand your code, and will probably change the structure a few times, so that it optimizes well. Obfuscating makes it difficult to follow but more important is that it teaches you about the code, for example it may throw out a whole library or part of one, that you thought you needed but didnt... you will spend hours on it, but on large jobs its worth it... Obfuscating is not a replacement for security, like hiding a passwords in the code, thats a different technology. Obfuscating is more about optimizing download sizes, than stopping hackers, thats why we use it. Have Fun --- HARBOR : http://www.kewlstuff.co.za/index.htm --- If you cant pay in gold... get lost... http://coolharbor.100free.com/debt/usadebt.htm - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Obfuscating a Servlet
Hi Jeng, Yes it does, it can be reverse engineered and you can try it yourself, its still there but where something was StoreNames is now just a. If they determined enough they will reverse engineer it, but on a large project its not easy to understand at all. Put it this way, on large projects, I can reverse engineer it and make it run, but even though I wrote the code, I cant follow it anymore ;) I do it on very large projects but for a different reason, it optimizes the code, and makes it smaller, sometimes the size savings are very good, half the size, good. Its an art, you have to play... include all the TC libs, in the LIB section as well as the JRE, not the main section, this tells proguard not to mess with the interfaces. Run it and see what breaks, if it does it means you may have to keep additional functions, and you must test really really well. This is because proguard can guess wrong, because of things like late binding, introspection etc, proguard is damn good but there are somethings it just cant guess. So the answer is yes, it works, but its not just a util that you run without thinking... by the time you are done, you are really going to understand your code, and will probably change the structure a few times, so that it optimizes well. Obfuscating makes it difficult to follow but more important is that it teaches you about the code, for example it may throw out a whole library or part of one, that you thought you needed but didnt... you will spend hours on it, but on large jobs its worth it... Obfuscating is not a replacement for security, like hiding a passwords in the code, thats a different technology. Obfuscating is more about optimizing download sizes, than stopping hackers, thats why we use it. Have Fun Another tip, make you project into a LIB, and bring that into a skeleton webapp... so the webapp basically becomes a web.xml file and static data plus your lib... its a nice way to do it. Then when you obfuse... you just working on normal Jars... its easier. --- HARBOR : http://www.kewlstuff.co.za/index.htm The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- If you cant pay in gold... get lost... http://coolharbor.100free.com/debt/usadebt.htm - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Obfuscating a Servlet
Hi All, I just wanted to know if I can first obfuscate my selvlet with ProGuard before I deploy it in Tomcat environment. Will doing this really protect my servlet and make it really difficult for someone to reverse engineer or decompile it, as people seem to say? Thank you. Jeng - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Obfuscating a Servlet
From: Jeng Yu [mailto:[EMAIL PROTECTED] I just wanted to know if I can first obfuscate my selvlet with ProGuard before I deploy it in Tomcat environment. As long as ProGuard doesn't hack around with the servlet interface calls, you should have no problem. However, I've never tried. Will doing this really protect my servlet No. and make it really difficult for someone to reverse engineer or decompile it, as people seem to say? Obfuscation makes it *more* difficult to reverse engineer, as (for example) the names of functions and types no longer give any clues. However, if there's enough information in the code to run it, there's enough to reverse engineer it. It's like installing better locks on your house: fewer thieves will get in, but a determined thief will always do so. Generally via a way you didn't think of. For example, have you defended against someone breaking in and stealing the machine with your source code on? ;-) - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Obfuscating a Servlet
Hi, Obfuscation makes it harder to reverse engineer your code, nothing more. If your code is of interest, there a people who can reverse engineer it. If you want to make sure people can't read your code. Use a wrapper to encrypt it and decrypt it through a value you can provide through the context. Combining these would prove even more effective. Still if it can be executed at some time it will be bytecode and can be decompiled as such. Preventing others to read the code has usually more to do with good protection on OS level and storing source in a safe place. Hope this helps Regards, Serge On Fri, Oct 24, 2008 at 12:28 PM, Jeng Yu [EMAIL PROTECTED] wrote: Hi All, I just wanted to know if I can first obfuscate my selvlet with ProGuard before I deploy it in Tomcat environment. Will doing this really protect my servlet and make it really difficult for someone to reverse engineer or decompile it, as people seem to say? Thank you. Jeng - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Obfuscating a Servlet
What is the risk? Do you deploy it in your own Tomcat environment where only you have access or do you distribute your class files? Ronald. Op vrijdag, 24 oktober 2008 om 12:28 uur schreef Tomcat Users List users@tomcat.apache.org: Subject: Obfuscating a Servlet Date: Fri Oct 24 12:28:50 CEST 2008 From: Jeng Yu [EMAIL PROTECTED] Hi All, I just wanted to know if I can first obfuscate my selvlet with ProGuard before I deploy it in Tomcat environment. Will doing this really protect my servlet and make it really difficult for someone to reverse engineer or decompile it, as people seem to say? Thank you. Jeng - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Obfuscating a Servlet
If someone can get your .class file - someone can reverse engineer it. Obfuscating will slow someone down, not prevent. If people only have access via web browser, then only server side code is being executed and people can never see your binaries on your server so the only way to reverse engineer is to use a black box approach - which is typically LOTS harder to get right. -Tim Jeng Yu wrote: Hi All, I just wanted to know if I can first obfuscate my selvlet with ProGuard before I deploy it in Tomcat environment. Will doing this really protect my servlet and make it really difficult for someone to reverse engineer or decompile it, as people seem to say? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]