Are there any plans to enable protected code on HTML5?

[mariogarranz]

I was just wondering if this discussion was ever rised inside the WW3C. I can't seem to find many information about it.

I see HTML5 as a technology with a high potential for games and applications. However, having the source code and assets easily visible to anyone seems like a major problem that may be quite a handicap for bigger games.

It's probably something that we all can afford when we're developing small games which mainly use well known mechanincs, but would really developers invest years of work creating high quality games that someone else could just steal in a few days?

I see HTML5 already included some polemic media protection inside their code (Encrypted Media Extension) which I believe is used by copyrighted video streamers such as Netflix, so I wonder, does anybody know if this has ever been discussed, or if there is any kind of plan to make it easier to protect intellectual property?

[rich]

Try viewing the source of any Unity (WebGL), GameMaker or Construct2 game. Then tell me it's easy for anyone to steal that code

 

The same principals they use could be applied on larger scale games too.

[Sebi]

You can easily decompile any swf or even exe file too.

You would be surprised about the amount of top notch flash games that don't obfuscate their code at all.

Everything always has to be readable in order to run on your computer no matter what language it is.

That said, HTML5 is not less secure than any other language.

[JUL]

Damn my message was eaten again by this gaddamn message board !

 

 

Bottom line no 100% foolproof way to protect your code, most of the time it's people who can barely code in the first place that will attempt that.

 

http://stackoverflow.com/questions/194397/how-can-i-obfuscateprotect-javascript

[mariogarranz]

Obviously there is not a system that is 100% secure, but come on guys, don't compare an HTML5 game with an standard native code game. Of course all can be hacked, but the effort required to extract the assets from an HTML5 game is ridiculous. And even with an obfuscated code, it's really easier to debug, find constants such as strings, etc. 

Not only in terms of intellectual property, but also in order to avoid cheating on multiplayer games.

Coding in a different language and using a JS "compiler" really produces a harder to read code, but that means you require external tools, and can't code directly in JavaScript. And even then, the code is a hundred times easier to debug and hack than any other native application.

That's how I see it at least.

Anyway, I guess none of you knows if the W3C ever said something about this?

 

[rich]

Cheating on MP games should never be an issue, because no sane MP game would ever calculate important values client-side anyway. So if anything they're the "safest" sort of game to create. Dumb slaves to the server based logic.

 

If code security is a major concern for your project, you don't code it in JavaScript. I think it's as simple as that really. There are plenty of other alternatives.

 

Grabbing assets is easy, yes. But most the games on my PC don't even bother to hide those any more. I can browse folders full of assets in lots of commercial games. These days you protect your assets with IP law, not software.

[JUL]

Ha, now when I hear about W3C I think about that DRM story.

 

http://www.infoworld.com/article/2612478/html5/berners-lee-and-w3c-approve-html5-video-drm-additions.html

https://www.techdirt.com/articles/20131016/06583824895/drm-html5-what-is-tim-berners-lee-thinking.shtml

 

 

Anway the spirit of the web is supposed to be open rather than closed in the first place ...

 

If you really need some closed patform/format, then I think it's not the most suited.

[mariogarranz]

#6 That's true, but smaller independent teams may find it very difficult to defend their property legally when probably whoever takes advantage of it will not even be living in the same country. Also, you're right about having multiplayer code on a server, but you can't have it all on the server, and I have seen games from big companies such as Blizzard easily hacked (speed hacks, teleporters, etc.) inside their client code, because you will have to trust your client side at least to a certain point.

 

#7 Yeah, that's what I meant in my first post. They did that for video, so I was wondering if there has been any mention about that for any other parts such as code or images. 



About forcing developers to be open on the web... well I don't agree with that. It's ok that you can create open source apps and games and share it if you want, but when there's money involved people will take advantage of anything, and allowing people to make it closed would empower the creation of more games.

 

There are dozens of examples out there. I can only imagine if the creators of Threes! would have developed the game with open source, all those people who "stole" their idea would have also stolen their code if they could. Indeed, if tools such as JScrambler exist and make money is just because people are willing to create things over JS, but don't want anyone to see their code.

I understand what you guys mean, but I don't think many people would risk years of work developing a game under those circumstances. 

Anyway thanks for your opìnions

[JUL]

I get your point mariogarranz, but the thing is, it's hard to make a turtle fly or an eagle crawl.

 

Eagle was made to fly and turtle to crawl.

 

The combination HTML/JS/CSS was anything but designed to provide a reliable way to maintain code closed/protected, rather the opposite.

 

 

Now there are licenses.

 

For instance flod.

 

http://www.photonstorm.com/flod

 

It's not really free as do whatever you want with it.

 

It's free for non commercial purpose.

If you want to use it for commercial purpose, the author gives you an individual license allowing you to do so, in exchange for a donation, starting at $5.

 

 

I could make a clone of flod or part of it, rewrite it to circumvent the license.

But why would I do that ?

 

It's only $5 or more if you want to give more...

 

 

I planed to buy that license, still plan to, just got tons of setbacks recently, so it got delayed.

 

 

But I digress.

 

 

My point is that there are ways to deal with the issue, cleverly.

 

A big or medium sized company will NEVER attempt to steal anything, unless they are trying to figure a way to go for suicide by juridical means.

It's jackpot for you if you catch them doing that, literally.

 

 

Now for independents devs ...

 

If you can provide a way to prove that you're the original author and that they stole most of your work (not just a function name), and contact the platform hosting the said copy/stolen work (such as appStore or whatever) and give them that proof, chances are, they will gladly shutdown the thieve's account and ban its user.

I'm not sure about that however, but it's in their best interest to not let that kind of stuffs happen in their market place if you see what I mean.

[rich]

If you can't defend your IP legally then it makes no difference how well protected your images are. If they appear on screen, they can be captured. It's really as simple as that. And even if by some amazing visual piece of technology that doesn't exist they could never be captured, they can always be redrawn by another artist and stolen that way. I think it's utterly pointless spending time trying to prevent this, because it's an impossible aim.

 

I agree games like WoW have been MP hacked in the past, but you're not going to be making WoW, or anything even slightly close to it. Unlike Blizzard, you can afford to process all game logic server side, and should do so. Especially for browser based games. You should be thinking Clash of Clans or Rage of Bahamut, not Blizzard level games. Those are better comparisons, and they're about as dumb client as you can get.

 

Threes was cloned because it was such an easy concept to clone. The visibility of the source made no difference to this. Same for Flappy Bird or Swing Copters, or any other successful game really. The source code is irrelevant, it was the concept that was the target. I'd even argue that even if they had open sourced the code, lots of devs would still have chosen to recode it anyway because it would have been less hassle than working out their code.

 

I've seen loads of Flash games that took years of development, with source that a script kiddie could get at with simple tools. It had no impact on their success. As with all games that was down to how unique they were, how well designed and how well marketed. Source code visibility has never been a 'success factor' in any example I can think of.

[rich]

To actually answer your question though: I don't expect to see source code or image level DRM any time soon, and I don't know of any W3C proposals even considering it outside of video / EME. You can see the discussion on that here: http://www.w3.org/community/pua/wiki/Digital_Rights_Management

[Gio]

Your question has been answered but, just to add a couple of points:

 

If you want to make it hard for people to copy your assets, you can do so in JavaScript, in much the same way as any other language. You can manipulate binary data, so do it if you think it's worth doing. For example - pre-process your images so that every byte is xor'd with a constant, then when the image is loaded use getImageData() and repeat the process to restore the image in memory.

 

Regarding code - the best way of protecting it is, like Rich and others said, having it run only on the server. But even for client code, there are things you can do to make it hard for other people to understand what your code does.

 

The worst thing you could do, is use a popular compiler / scrambler tool with the intent of hiding your code. If it's a popular tool, someone will have found a way to reverse it (and this is true for tools that scramble executable binary code too). Write your own custom tool instead, be creative, and don't tell anyone how you've done it  

 

You think that reverse-engineering a JavaScript app is substantially easier than a compiled language, but that's debatable... with the right tools, an .exe can be decompiled and modified in no time at all if you know a bit of assembly. It all depends on how determined you are to make it difficult for other people to crack it, and how determined  these people are.

 

The fact that JS is an interpreted language may actually be an advantage for you: you can hide code anywhere (in images, audio, etc) and just eval it at runtime.

[mariogarranz]

Thanks guys for your responses. Even though what I was actually asking is what Rich answered on #11, knowing your opinions on the topic is really interesting.

[mfdesigner]

Another option is to add your own application level end-to-end encryption.  

Since encryption and decryption are all performed at run-time, no one would be able to view your code unless they take time to browse the ram.

 

A few years back, we developed a solution to deliver javascript/HTML codes to an embedded mozilla browser using Public Key Infrastructure.

The performance was quite good in C++.   After porting our platform to pure javascript, I could not find a solution to 

do AES-256 encryption in reasonably amount of time.  (1MB of code takes about a minute to encrypt.)

 

However, this crypto lib may offer a good alternative:

 

http://crypto.stanford.edu/sjcl/

 

Since GPU offers massive parallelism, I wonder if it is possible to come up with an encryption/decryption scheme using just shader, which would be many times faster than javascript-based algorithm?

 

Found an answer to my own question

 

http://http.developer.nvidia.com/GPUGems3/gpugems3_ch36.html

 

 

Our results were obtained by processing a plaintext of 128 MB filled with random numbers and averaging measurements from ten runs. As illustrated in Figure 36-9, the throughput for the vertex program is 53 MB/sec, whereas for the fragment program, the throughput is 95 MB/sec with a batch size of 1 MB. Our implementation spends most of its processing time in referencing tables—in other words, fetching textures.

 

[excelsoftware]

Here are two approaches to consider.  Both prevent source code viewing by the user. 

 

DocProtect wraps your HTML5 based project into a protected EXE for Windows or APP for Mac.  See http://www.excelsoftware.com/docprotect

 

SafeWebApp enables device specific Serial Number activation of protected web content.  See http://www.safewebapp.com.

[excelsoftware]

Yes, you can generate protected Mac, Windows and now Android apps from HTML5 source files.  This PDF show you how to generate an Android APK from your HTML5 source files or other document types including EPUB, MP4 or PDF.

 

http://www.excelsoftware.com/download/generate_android_app_part1.pdf