|Secure distribution of NodeJS applications||Jeremy Rudd||2/23/12 7:56 AM|
What: Can NodeJS apps be distributed as binary? ie. you compile the .js app via V8 into its native binary, and distribute the binary to our clients? ... or is minifying the code all you can do?
Why: We build serverside applications in NodeJS for clients, that have often to be hosted on the client's servers. Distributing source code means clients can easily steal our solution and stop paying licensing fees. This opens up the possibility of easy reverse-engineering or reuse of our apps without our awareness.
Shamelessly cross posted on: http://stackoverflow.com/questions/9413123/secure-distribution-of-nodejs-applications
|Re: [nodejs] Secure distribution of NodeJS applications||Ben Noordhuis||2/23/12 8:27 AM|
[Insert obligatory "get better clients" comment here.] :-)
V8 has a feature called snapshotting where it loads JS and spits out
|Re: [nodejs] Secure distribution of NodeJS applications||chrisrhoden||2/23/12 8:28 AM|
Why not distribute a VM?
|Re: [nodejs] Secure distribution of NodeJS applications||Rob Ashton||2/23/12 8:28 AM|
I thought snapshots also included the source code - at least that was my understanding from a previous thread on the same matter?
|Re: [nodejs] Secure distribution of NodeJS applications||Tim Caswell||2/23/12 8:40 AM|
|Re: [nodejs] Secure distribution of NodeJS applications||Jeremy Rudd||2/23/12 8:54 AM|
Don't know much about C++ addons. Can they access NodeJS objects as usual? All classes and functions?
Anyways, about the VM thing, is it possible to capture the snapshot the V8 engine generates, and then use that to run the app?
Regardless, if you're saying that the Node/V8 engines keep the source code in memory, that means less security. So I'll have to resort to source code obfuscation / uglification.
|Re: [nodejs] Secure distribution of NodeJS applications||Tim Caswell||2/23/12 8:58 AM|
|Re: [nodejs] Secure distribution of NodeJS applications||chrisrhoden||2/23/12 9:00 AM|
My recommendation as far as the VM is simply to package up a VMWare appliance or something similar and have the clients run it on their network. You don't need to give them passwords if you have configured it correctly.--
|Re: Secure distribution of NodeJS applications||Matt||2/23/12 10:45 PM|
I have a similar requirement for a project, and came to the conclusion that node core could be extended and recompiled to produce custom binaries (someone with more knowledge can correct me if I am wrong here). With a little bit of care, you should also get the benefit of all the cross-platform capabilities that the project offers. However, I think at the moment this sort of "core extension" it a little tricky to accomplishment elegantly, which led me to create this issue: https://github.com/joyent/node/issues/2584. At any rate, I would also be interested if someone has a better solution to the original question.
|Re: Secure distribution of NodeJS applications||Lalo Martins||2/24/12 10:52 AM|
quoth Jeremy Rudd as of Thu, 23 Feb 2012 07:56:43 -0800:
> *What:* Can NodeJS apps be distributed as binary? ie. you compile the
> *Why:* We build serverside applications in NodeJS for clients, that have
> *Shamelessly cross posted on*:
This is a terrible, terrible misguided idea. And please don't co-opt the
Distribute your product with source. If your clients have enough
And then make it a big deal in your promotion material that it comes with
If somebody “steals” your work, sue them. Contract law is more than
If the problem is more about especially clever things you do to solve
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Baz||2/25/12 1:51 PM|
Ok, I tried my best to keep my peace, but I can't resist posting this.
|Re: Secure distribution of NodeJS applications||manimal45||2/26/12 6:18 AM|
I think original poster knows about business/contracts protection.
His question seems to me technical, and would be far from ideal to
consider the case closed.
Aside from the "secure" aspect, I believe the very first intend of
node.js was to easily build scalable network applications.
Now, imagine you've built an amazing service on top of hook.io, or
cluster or whatever with many small node.js "agent".
What do you say to your customers when it comes to deployment ?
Today, you need to install python, node .... and then install the
package .... and its dependies ... and cross fingers for everything to
It would be awesome if 'customers' could download node.js apps as
This would open the road for many new applications where a central
"cloud" server instance could communicate with customers
infrastructure via agents.
I'm surprised there's no easy way to deploy node.js easily. But maybe
|Re: Secure distribution of NodeJS applications||mscdex||2/26/12 7:09 AM|
It'd be neat to be able to have specific modules' (bundled in the node
executable) exported functions not show their source code
when .toString()'ed, kind of like how native C++ functions show
"[native code]" when .toString()'ed.
|Re: Secure distribution of NodeJS applications||billywhizz||2/26/12 4:16 PM|
if you put your js libs in the lib directory of the node.js source and
run make, the libs will be included as natives in the compiled node
binary. you can then just require them without a path. e.g. if you
have a module named test.js in the lib dir, then just do the
var test = require("test");
of course, this won't stop anyone being able to inspect the source of
your module at run time but it will enable you to release your whole
application as a single executable.
|Re: Secure distribution of NodeJS applications||Jeremy Rudd||2/27/12 12:52 AM|
On Feb 24, 11:52 pm, Lalo Martins <lalo.mart...@gmail.com> wrote:I'm a dev, not management. I understand the field internally and so
I'm trying to start discussions to securely distribute NodeJS apps.
Anyone wants to vote if C++ EXE's are harder to decompile than .NET
EXE's? Just throw the damn thing into Reflector and viola!. With C++
you never really get great code.
I work with assembly and IL. Source code can be compiled perfectly.
Decompiled code almost NEVER compiles perfectly, the program crashes
and/or strange errors appear. Binaries force the reverse engineer to
work with assembly at a low level. Source code allows any idiot
programmer to have a go at it.
We're trying to protect our application from clients, not GIVE it to
them. We're distributing applications that are run internally in
organizations. We won't even KNOW if they are running hundreds of
instances/copies of our software.
Binaries will slow them down. Enough to be helpful.
Patents give away the techniques. Ever wonder why McDonald machines
are not patented? Did you know that in China, for instance, the govt
openly allows local companies to copy techniques described in patents?
So much for patents.
That's not for you to judge :) .. and not for me to judge either. I'm
a dev, not a forecaster.
|Re: Secure distribution of NodeJS applications||Jeremy Rudd||2/27/12 12:58 AM|
I second this. There needs to be a way to 'compile' nodeJS apps into
its binary format. AND a way to distribute this as a self-extracting
installer, look at Firefox, I mean they don't ask you to install from
source. Custom branding would also improve the business-value of
distributing NodeJS apps. It looks more pro.
|Re: Secure distribution of NodeJS applications||Jeremy Rudd||2/27/12 1:00 AM|
Exactly. I mean which application framework on earth allows you to
"view source" from the BINARIES?! (except HTML/JS!) The toString()
function should just return a blank string from binary NodeJS apps.
This would be really useful.
|Re: Secure distribution of NodeJS applications||Brandon Benvie||2/27/12 2:26 AM|
|Re: Secure distribution of NodeJS applications||Brandon Benvie||2/27/12 2:31 AM|
|Re: Secure distribution of NodeJS applications||Jeremy Rudd||2/27/12 2:36 AM|
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Timma||2/27/12 2:27 AM|
In my opinion, this is not a Node problem to solve. Obfuscation/source code hiding is an opportunity for a third party to make a native module to encrypt/decrypt source files.
And if you encrypt it, you'll have to somehow provide the key to decrypt it so it can be run anyway.
With java and .net, the decompilation tools may not give you code that always compiles, but it almost always gives you enough information to add or replace the license checking code functions and classes by replacing the appropriate dll's /class files with your own ones.
If you need native code, do your coding in c++.
Most of us are standing on the shoulders of giants. This is why node is so great. But yet, we are selling software touting features that are really a gift from the Node community, and that we got for mostly free.
Try getting the same sort of quality in a web/network framework for free in the C++ world. You wont see many. The reason is simple, openness.
You pay for Node's goodness by being trapped in openness. Same as with ruby, perl, php and the like.
Bitching cause the Node creators were generous enough to share their work with you, but not cheap enough to lock it down is ludicrous.
Tim De Lange
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Oliver Leics||2/27/12 3:48 AM|
as a dev you are in the right position to tell the management the
Also: Maybe the business model is flawed or (at least) not optimal.
Go and tell the management the truth!
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Oliver Leics||2/27/12 3:52 AM|
A software company has to offer more than just a binary.
|Re: Secure distribution of NodeJS applications||Jeremy Rudd||2/27/12 3:57 AM|
Whatever format it is in, if you could just load the same datafile you
the source code again.
You don't need to encrypt the source if you can just work with the
intermediate data format. See above.
I'm sorry to sound capitalistic, but sometimes you need to make
commercial products for clients that are willing to pay. If my work
could be protected in such a case, it would help me. And yes, nodeJS
is a great gift, and I would look into giving whatever else I create
Sorry if I sounded like I was bitching, I was just trying to make
NodeJS a more professional platform: .NET, Java, Flash all allow you
to 'compile' your app in some way and so I was just asking if
something like this could be implemented for node.
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Dean Landolt||2/27/12 6:02 AM|
On Mon, Feb 27, 2012 at 6:57 AM, Jeremy Rudd <jrudd.d...@gmail.com> wrote:
I was trying to keep my mouth shut but this is just too much. This short sentence is comically fallacious. To start with, if your clients are so willing to pay why are you bending over backwards to obfuscate? And nothing is stopping you from making commercial products -- certainly not node's license. This was addressed a few different ways in this thread, I'm not sure why you've chosen to ignore it. But more fundamentally: capitalism, like any economic system, is about the efficient allocation of resources in the face of scarcity. Once you've written your software it's no longer scarce. And please don't conflate capitalism with intellectual property -- the two are quite different.
Then do the damn legwork yourself. Node has a wonderfully liberal license -- and that's a very good thing. Frankly it's developers like you that are to blame for the scourge of GPL software. Do what you will with the code, but you could benefit from trying to grok why you're getting the kind of responses you're seeing.
More "professional"? Wow. Again, it wouldn't hurt to read up on the culture around open source -- if nothing else, it'll help you avoid getting flamed by saying things like this.
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Timma||2/27/12 6:45 AM|
On Mon, Feb 27, 2012 at 4:02 PM, Dean Landolt <de...@deanlandolt.com> wrote:--
There is no universal intermediate data format. Any binary representation that may be created in memory, is optimized and specific to the environment of that running instance, and will probably not run on all other installs of Node. This is not Java or .net.
Plenty commercial products make good money without needing strict copy protection. It is however true that certain markets are rife with piracy. And if your company is small and your clients are big, the balance of power might be against you. If this is the case, protect your program. However - don't lay this problem at Node's feet.
Remember, you are not a Node customer. Node owes you squat. The Node community shared their code with you, so you are the one who has the debt, if anyone needs to listen, its you.
This is your problem, you've been given options, choose the best one and implement. If you have the same generous character as those before you, you will share what you make.
That's the great thing about opensource. You can fix it yourself.
Tim De Lange
|Re: Secure distribution of NodeJS applications||Lalo Martins||3/1/12 9:36 PM|
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Tim Caswell||3/2/12 6:29 AM|
I don't have experience with hiding source code (I tend to put everything I write on github out of habit), but I do know about keeping parts of code secure and out of the hands of anyone who might write a script using my library.
A quick example is a task I was working on at HP to ass http proxy support to nodejs services on webOS. Node services on webOS can be written by third-party developers and can contain dangerous code. WebOS sandboxes these node scripts in their own process and also inside a chroot jail. But I needed to add a new http client API that transparently used the system's proxy settings if there was one. Remember people are often behind corporate firewalls and need credentials to access the outside internet through a proxy.
Now here is the dilemma. How can I give the node process the credentials without giving the user's script in the node process the credentials? We don't want third-party scripts having access to a user's corporate credentials, that would be a bad thing. There were two proposed solutions:
A: Run some node code at the beginning that gets the credentials from the system while the process is still running as root, hide the credentials in a private closure with no references and drop uid so that node code later can't ask for credentials. (something like this is already used to bootstrap the chroot). Expose a public http client API that has closure access to the credentials, but doesn't give them out.
A is security through user id permissions, B is security through obscurity. If the node script was able to reverse engineer the protocol the binary addon used in B to get the credentials, it could do the same itself and publish the protocol to other users.
The point is, if someone has your code, they can eventually reverse engineer what it's doing, but yes, binary addons are much harder to do this to. This problem isn't unique to node, and using binary addons is just as secure as anything else out there. Especially if the code is running a user's machine where they have full access to examine the binary's bits.
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Tim Caswell||3/2/12 6:30 AM|
*add HTTP proxy support (I should check more before sending)
On Fri, Mar 2, 2012 at 8:29 AM, Tim Caswell <t...@creationix.com> wrote:
I don't have experience with hiding source code (I tend to put everything I write on github out of habit), but I do know about keeping parts of code secure and out of the hands of anyone who might write a script using my library.A quick example is a task I was working on at HP to add http proxy support to nodejs services on webOS. Node services on webOS can be written by third-party developers and can contain dangerous code. WebOS sandboxes these node scripts in their own process and also inside a chroot jail. But I needed to add a new http client API that transparently used the system's proxy settings if there was one. Remember people are often behind corporate firewalls and need credentials to access the outside internet through a proxy.
|Re: Secure distribution of NodeJS applications||Jeff Barczewski||3/2/12 8:08 AM|
One simple approach is to simply try to slow down the competition from stealing your code. Minimizing your code with something like uglify, should make it harder for someone to take code and continue to work with it (to make enhancements and changes), at least it would slow them down.
Then you continue to evolve your product with continual improvements making it less desirable for someone to go to a stagnant competitor.
Of course you can also open source some or all of the product and hopefully get community to help improve the code and just sell commercial licenses, support, add ons or services. You could even have some parts that one needs to be connected to use (which is not distributed).
I do agree that having a way to deliver standalone node.js apps is valuable too. The more ways we can use and deliver node.js the better. It could start as simply a self extracting archive that launches itself and cleans up when done. I have used things like that before with windoze and Ruby until jRuby came along and made it better to use precompiled JAR. The packaging of the app into single file can also help with making it more difficult to get at the code.
Just my thoughts. Your mileage may vary.
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Baz||3/3/12 6:49 PM|
And if your company is small and your clients are big, the balance of power might be against you.
In my experience, large enterprises pirate the least. They have too much to lose not to pay a little license fee, they pre-plan their expenditures far in advance, and the money comes out of a collective budget, not painfully from an individual's pocket.
Small companies are often too cash-strapped to pay for too many licenses - if they don't pirate, they just wouldn't use it (kind'of like torrenting a movie you'd never pay for). Just charge enough to be happy knowing they're pirating, and wait for them to upgrade.
Don't sell to medium sized companies :)
|Re: [nodejs] Re: Secure distribution of NodeJS applications||tracker1||3/3/12 11:03 PM|
I don't know why he doesn't just create a few core components in a c library/module and use guilty or closure to obfuscate the rest... Or, look into an ASP (Application Service Provider) model.
As to binary deployments... .net and java are both mentioned as more professional, and neither are stand alone deployments... I do .Net for my day job... I see this mindset a lot.
-- Sent from my HP TouchPad
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Alan Gutierrez||3/4/12 2:31 AM|
On 2/26/12 9:18 AM, manimal45 wrote:
> I think original poster knows about business/contracts protection.
> His question seems to me technical, and would be far from ideal to
> consider the case closed.
The original poster probably does not know about copyright and
This came up in comp.lang.perl.misc daily back in the day, before there
Appliance. Any x86 operating system can run as a guest on any other x86
|Re: Secure distribution of NodeJS applications||Ken||3/4/12 9:42 PM|
On Thursday, February 23, 2012 7:56:43 AM UTC-8, Jeremy Rudd wrote:
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Dean Landolt||3/5/12 6:45 AM|
Either you're misunderstanding PKI or I'm misunderstanding you. But you do realize that in this scheme you still have to hand your client -- the person you're trying to hide your valuable secrets from -- the private key? Sure, you can bury it in layers of obscurity but it's there, and with the right tools will be in plain sight at some point.
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Oliver Leics||3/5/12 6:51 AM|
On Mon, Mar 5, 2012 at 6:42 AM, Ken <ken.wo...@gmail.com> wrote:
It is _not_ a philosophical conclusion that in most cases it is not
Technically none of the so called *coulds* are valid. They remain
Philosophically: You add all thoose layers not for real security, you
> I've thought about this a
This is _not_ secure, its only a "make it as hard as we can"
As you sayed:
> This would
If you deliver the key with the encrypted content, why encrypt them at all?
> Some care would need to be taken to ensure that the
Its not "Some care", it is "Mission Impossible"
Been there, done that.
|Re: [nodejs] Re: Secure distribution of NodeJS applications||billywhizz||3/5/12 8:59 AM|
oliver is correct. have had this argument many times. all you can ever do is make the source code difficult to get at and it's a question of how much effort you want to expend to do that. with something like v8, it's going to be difficult to even make it difficult as all someone will have to do is attach a v8 debugger and they can look at whatever they want...
best you can do would probably to compile the js source into the binary and at least that way it's not sitting on the filesystem as a text file so anyone can find it.
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Ken||3/6/12 1:32 AM|
On Monday, March 5, 2012 6:45:41 AM UTC-8, Dean Landolt wrote:
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Dean Landolt||3/6/12 2:15 PM|
On Tue, Mar 6, 2012 at 4:32 AM, Ken <ken.wo...@gmail.com> wrote:
The custom built node executable you "give" your client, per chance? QED.
|Re: Secure distribution of NodeJS applications||sahal||6/16/12 12:03 AM|
You can research things such as BoxedApp. They're quite expensive. They solve the problem.
|Re: Secure distribution of NodeJS applications||Matthew de Detrich||9/17/12 8:25 PM|
|Re: [nodejs] Re: Secure distribution of NodeJS applications||Mark Hahn||9/18/12 9:47 AM|
> Distributing source code means clients can easily steal our solution and stop paying licensing fees.
This has been a problem since the beginning of the software industry. The only proven solution is to give enough support to make it worth their paying for. Obfuscating and DRM never fully work. Even shipping binaries is just a form of obfuscation.
However, you can usually make money with obfuscation by just counting on most customers being too lazy to hack it.
I can buy almost any product, including microsoft products, on a warez site.
Job Board: http://jobs.nodejs.org/
|Re: [nodejs] Secure distribution of NodeJS applications||Roger Wang||2/25/13 10:19 PM|
Jeremy Rudd <jrudd.d...@gmail.com> writes:
> *What:* Can NodeJS apps be distributed as binary? ie. you compile the .js
> app via V8 into its native binary, and distribute the binary to our> *Why:* We build serverside applications in NodeJS for clients, that have
> often to be hosted on the client's servers. Distributing source code means> *Shamelessly cross posted on*:
In node-webkit we just released an experimental feature for this -- the
feature. I believe the same thing can be done for Node.js
Roger WANG Intel Open Source Technology Center
node-webkit: Call all Node.js modules directly from DOM and enable
a new way of writing applications with all Web technologies.