When I noticed more and more Web sites trying to detect and block ‘bad’ or otherwise unprofitable users (e.g. those using ad- or popup-blockers, privacy tools, etc.), and banking sites like the one I use trying to detect potentially compromised machines, I thought, “How long will it be until some unnecessarily clever dickface just adds a script to all its pages that validates the page’s CRC/hash/checksum?” One possible embodiment is that the page’s content is encrypted and embedded as a page comment, along with a small Javascript that obtains the encrypted payload’s expected CRC from somewhere (e.g. loading it from another page on the site, or it’s embedded in this page in some obfuscated way), and validates that the page contents have not been modified/filtered. The payload is then decrypted and written to the page using document.write() or similar, displaying the content. There are many possible variations on this theme – e.g., using the CRC (etc.) itself as the decryption key or, rather than resort to encrypting the entire document, send it all as plain HTML, but with the important parts hidden using DHTML attributes/tricks. After validating a preferred user, the on-page script unhides the contents.
This would deeeeelight many money-grubbbers and most anyone with an MBA, by doing two things:
1) Reject anyone who doesn’t have JavaScript enabled (they’re obviously not here to make you money. They probably have images disabled too, the commie bastards.)
2) Reject anyone whose ad-blocker filtered something on the page, thus changing its contents and invalidating the CRC.
Anyway, I got bored and looked into it today to see how much work would be involved for a suitably motivated dickface. Although a document.write() function has been around for a bazillion years to let a JavaScript write new contents to a page, it turns out that there is no corresponding document.read() function! In other words, maybe a script can’t just slurp in and parse the raw contents of the page it’s on. Maybe THAT is why I’ve never seen this used before. Of course, Dickface can get around this in quite a number of ways, which I won’t detail here. For some of them he may have to be content with only validating specific elements, not the entire page. Fortunately, there are ways to filter adverts that don’t necessarily change the page contents as seen by client-side scripts.
* Obligatory warning: I am not a JavaScript programmer (and have been mostly out of the whole Webmastering gig in general for the last 5 years or so), and this is not JavaScripting advice. No blogger-client relationship exists here. Yadayadayada…
Leave a Reply