A website attempting to hide its HTML only delays crackers by seconds, becomes inaccessible to 30% of its visitors, and loses its ranking in search engines.
How code hiding techniques work
Code hiding techniques come in two parts:
- A JavaScript hack tries to prevent users using the right mouse button (combined with frames, this is supposed to prevent the user seeing the source code)
- A large section of JavaScript generates the code on the fly from an encrypted version (so even being able to see the source code shouldn’t help)
No problems for crackers
Users of the Mozilla Firefox browser can view the original page source easily. Just open the DOM Inspector (in the Tools menu), right-click on the HTML node (the one with the triangle next to it), choose ‘Copy XML’, and paste the code into your favourite text editor. The DOM Inspector shows the document tree that the browser uses to render the page, so no code-hiding technique can prevent crackers using this method.
Even if the cracker only has Internet Explorer available, it only takes seconds to get around code-hiding techniques. As an example, I produced a page on unlocking Weblock Pro in response to Weblock Pro spam sent to the SETI@home message boards.
Problems for legitimate users
30% of internet users have JavaScript turned off. Some are paranoid and don’t trust any active content. Others are fed up with pop-up windows, and would rather turn off JavaScript then buy a pop-up blocker (or download a decent browser that blocks pop-ups). Some are using devices that don’t support JavaScript (for example, mobile ’phones), or using a non-JavaScript browser by choice. Whatever the reason, these visitors cannot access the site.
A ‘solution’ is to use the <noscript> tag for unencrypted content. However, this can only contain a cut-down version of the page’s intended content, otherwise there would be no point in using code-hiding techniques. Page authors will then have to maintain two copies of the information on the page.
Problems for search engines
Search engines have the same problems as non-JavaScript users, and only see the cut-down unencrypted version, leading to lower rankings. Much more seriously, search engines are wary of sites that present the user with different information from that which the search engine saw. Search engines are getting better at detecting these ‘cloaked’ sites and frequently remove them from their indices. By using code-hiding techniques, a site may prevent itself from becoming listed in search engines.
Further reading
For more information on the use of JavaScript in web pages, and other usability issues, try Jakob Nielsen’s excellent book, Designing Web Usability:
- Designing Web Usability at Amazon.com
- Designing Web Usability at Amazon.co.uk (for British readers)