| |
|
Protect Your Code and Graphics - Or Not
Update:
Since posting this information, I've received a ton of e-mails from people who've used products to "encrypt" their Web content. These e-mails always arrive in the form of a challenge to get information from their "protected" Web site. In all of these cases, I have been able to provide the challenger with content from the site within just a couple of minutes.
Many Web developers are concerned about protecting their code and images from inappropriate use. There are plenty of offerings that claim to do just that. They range from JavaScript that prevents visitors to your site from accessing the right-click context menu to software packages that claim to provide encryption of your code so that no one can get it. Don't be ripped off by such claims. They just simply aren't true.
No Right-Click Detection
New Web developers frequently ask how to disable the right-click context menu on a Web page so that people can't view the source of the page or copy images on the page. There are plenty of Web pages on the Internet that explain why this is a futile thing to do, so I won't go into all of the details here. Suffice it to say that disabling the right-click menu does nothing but irritate many Web visitors.
I've always wondered why developers want to hide their source code anyway. HTML is not programming code. It is not intellectual property. For example, when I write an add-in that performs a particular function, I custom-code a particular implementation of accomplishing that task. If another company writes a similar add-in that accomplishes a similar task, they custom-code a different implementation. One implementation may be much better and more efficient than another, and the company possessing the better implementation has a legitimate need to protect the details of that implementation.
HTML, on the other hand, is entirely a different matter. If I develop a table in my Web page that breaks up a page's content in a particular way and someone else develops a table that breaks up a page's content in the same manner, both of those pages are implemented using the exact same HTML code. There is no intellectual asset involved. One person's HTML is just as good as anyone else's.
Software Protection
Recently, several software development companies have developed products which claim to protect all of your source code. A popular one is AntsSoft's HTML Protector. AntsSoft claims that HTML Protector will provide "complete protection" for your Web page. That just simply isn't true. I can get the source of a page "protected" with this product quickly and easily.
HTML Protector uses HTML encoding to scramble your code. What you end up with is page source that looks like the figure below.
Note: I obtained this source by simply browsing to the page and clicking View, Source in my browser. HTML Protector claims to protect you from this, but as you can see, it did nothing.
What is easily noticed is that the JavaScript code on the page is simply calling a function called unescape in the JavaScript seen at the beginning of the page. That long string of characters passed to the unescape function is the HTML of the Web page. To see the HTML, all you have to do is use the unescape function yourself and display the results.
I have a Web page that you can use to do this called decrypt.htm. Using this page, you can very easily see exactly what is in the HTML code, the links to images, etc. You can get the JavaScript or code AntsSoft uses on their sample page (or from any page protected with this product) by pasting in that encoded text. In other words, all of the things that HTML Protector claims to protect are easily accessible using their own JavaScript as a model! The image below shows an example of decrypt.htm with the HTML code from the sample page fully visible:
How does the decrypt.htm page work? It's quite simple actually. HTML Protector actually "encrypts" your page by just converting each character to its escaped value. When the page is browsed, the browser runs the JavaScript in the page, and that JavaScript simply calls unescape on the escaped HTML. Decrypt.htm does exactly the same thing. If you take the escaped code from the HTML Protector sample page and call unescape on it, you get the HTML source code. Look at the source code of decrypt.htm. As you'll clearly see, I was able to bust the protection of HTML Protector with literally one line of code.
Another disadvantage to using this method is realized when someone visits your site and has JavaScript disabled in their browser. What do they see? Nothing! Because these pages rely on JavaScript to create the page content when the page is browsed, if JavaScript is not enabled, the page doesn't get created. Now that's protection of content, but probably not the intended result.
AntsSoft claims the following on their Web site:
"With HTML Protector, you can protect everything on your web page, including HTML source code, JavaScript code, VBScript code, text, links and graphics. After successfully protecting your website, people will not be able to view or edit your source code, as well as JavaScript/VBScript."
I leave it up to you as to whether or not this claim is accurate. If you ask me, it's simply a waste of $30.00.
Protecting Images
As previously mentioned, attempting to protect HTML has no purpose because it cannot be considered intellectual property. Images are a different matter. Many professional photographers and artists post images on the Internet, and they naturally do not want visitors to hijack them without compensation. As I've already pointed out, the common methods of protecting images simply won't work. However, there is a way to uniquely identify an image as yours, and it's surprisingly hard to circumvent.
Digital watermarking has been around for a while, but very few Web developers truly understand the technology. When you say "watermark" to most Web developers, they picture semi-transparent text slapped on top of an image that indicates the source of the image. A digital watermark is nothing like this. In fact, a digital watermark is encoded into the pixels of an image and is not visible to the human eye.
Digimarc is one of the most popular providers of digital watermarking. Digimarc is included in Adobe Photoshop and many other image editing tools. When you apply a watermark to an image with Digimarc, the watermark is added to the entirety of the image. Therefore, even if you crop out large portions of the image, the entire watermark is retained and can be read. Digimarc offers a free watermark reader that can read watermarked images.
Yet One More Way to Grab Your Images - ALL of them!
Have you ever heard of SnagIt? It's a great piece of software produced by a company called TechSmith Corporation. The latest version of SnagIt makes it so easy to grab every single image from a Web site by just pointing it to the URL. SnagIt takes the URL and harvests all of the images on the site and saves them to your local hard drive.
Incidentally, if you've never tried SnagIt, I highly recommend that you do. You will wonder how you ever lived without it.
In Conclusion
If you want to protect your intellectual property on the Internet, research the issue before you set off to implement a particular solution. Find out if the solution you plan on putting into place will offer you sufficient protection. Evaluate whether or not protection is even necessary. I think you'll find that, in most cases, protection is not necessary, and in situations where it is, the common solutions provide no protection at all.
Of course the greatest protection of all is simple; don't put it on the Internet!
|