Email conversation
| From | Robert |
|---|
| To | Me |
|---|
| Subject | Is this script un-crackable? |
|---|
| Date | 22 October 2004 13:19 |
|---|
| Attachment | File containing a load of Base64 ecoded content (with underlying encryption) |
|---|
Hi,
I have attached an encrypted JavaScript file that was written and encrypted
with the script editor in eSignal. ([web address for eSignal])
I am considering writing several trading scripts for eSignal, but I want to
be sure they cannot be cracked. I would appreciate any input. Especially if
you can crack the attached script.
Thank You,
Robert
| From | Me |
|---|
| To | Robert |
|---|
| Subject | Re: Is this script un-crackable? |
|---|
| Date | 22 October 2004 8:42 |
|---|
Robert,
Please do not overestimate my abilities. I am not a security expert. To me
it looks like fairly good encryption since it has a fairly long key. I
would try analysing further, but the URL you gave me just displays an ASP
error message.
However, more importantly, I do not see how you would use this JavaScript
on a web page. To me, it looks like a file that is encrypted so that it can
be passed from one person to another. For this it would be very secure.
However, it would need to be unencrypted before it could be used on a web
page, since browsers do not have inbuilt support for decrypting this sort
of encryption. Since this would mean the use of the script in unencrypted
form, or inclusion of the decryption algorithm and key on the web page
itself, the security would be reduced to virtually nothing.
If you only want to pass the data from a web page to a server, and you have
the encryption (but not _de_cryption) code on the web page, and you use
this code to encrypt data on the web page and pass it back to the server,
this would be fairly secure. But you are still missing the certificates
which are supposed to confirm identity, so it would still not be as good as
real SSL.
Maybe I have missed the point here.
Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/
| From | Robert |
|---|
| To | Me |
|---|
| Subject | Re: Is this script un-crackable? |
|---|
| Date | 22 October 2004 13:11/td> |
|---|
Hello Mark,
Thank You for the quick response. I think that you are onto it. This script
is used within the eSignal software. As real-time price data comes into the
software, this script analyses it and draws an indicator line on the bottom
of the price chart.
Correct me if I am wrong, but once the software has unencrypted the script,
would it not be possible to monitor or eavesdrop on the software in such a
way as to see what the script is doing?
I would appreciate your thoughts.
Thanks!
| From | Me |
|---|
| To | Robert |
|---|
| Subject | Re: Is this script un-crackable? |
|---|
| Date | 22 October 2004 14:53 |
|---|
In theory, yes you could eavesdrop if you run a monitoring program on the
same processor, but no more than if you watched what you were doing inside
your own browser. There really is nothing to worry about here. Of course,
if eSignal allowed you to input your own commands (like with the address
bar can in most browsers), you could get it to do anything you wanted, but
I doubt this program would allow you to do this, so I suspect that this
should be safe to use.
| From | Robert |
|---|
| To | Me |
|---|
| Subject | Re: Is this script un-crackable? |
|---|
| Date | 22 October 2004 15:21 |
|---|
Thanks!