Minification v Obfuscation

By YUI TeamMarch 6th, 2006

JavaScript is a load-and-go language. Programs are delivered to the execution site as text (not as executable or semi-compiled class files) where it is compiled and executed. JavaScript works well with the Web, which is a text delivery system, because it is delivered as text.

There are two downsides of textual delivery of programs. The first is code size. The source can contain material (such as whitespace and comments) which aids in the human interpretability of the program, but which is not needed for its execution. Transmitting superfluous material can significantly delay the download process, which keeps people waiting. If we could first strip out the whitespace and comments, our pages would load faster.

The second downside is code privacy. There might be a concern that someone could read the program and learn our techniques, and worse, compromise our security by learning the secrets that are embedded in the code.

There are two classes of tools which deal with these problems: minifiers and obfuscators.

A minifier removes the comments and unnecessary whitespace from a program. Depending on how the program is written, this can reduce the size by about half. An obfuscator also minifies, but it will also make modifications to the program, changing the names of variables, functions, and members, making the program much harder to understand, and further reducing its size in the bargain. Some obfuscators are quite aggressive in their transformations. Some require special annotations in the source program to indicate what changes might or might not be safe.

Any transformation carries the risk of introducing a bug. Even if the obfuscator didn’t cause the bug, the fact that it might have is a distraction which will slow down the debugging process. The modifications to the program also add significantly to the difficulty of debugging.

After minifying or obfuscating, you should GZIP. GZIP can further reduce the size of the program. GZIP is so effective that the difference in the efficiency between minification and obfuscation becomes insignificant. So I prefer minification with GZIP because I don’t have time for programming tools that can inject bugs into good programs.

  Full Source Minified
Uncompressed 78151 38051
Compressed with gzip 15207 10799

The table shows the results of using a minifer and gzip on a 78K source file. The result of using the two techniques together produced a result that is only 14% the size of the original source file.

Then finally, there is that question of code privacy. This is a lost cause. There is no transformation that will keep a determined hacker from understanding your program. This turns out to be true for all programs in all languages, it is just more obviously true with JavaScript because it is delivered in source form. The privacy benefit provided by obfuscation is an illusion. If you don’t want people to see your programs, unplug your server.

61 Comments

  1. I was really blinking on GZIP till I read the elaboration above by James Mortensen. Thanks a lot, James!

  2. To add on, the more common compression is gzip (Accept-Encoding: gzip). So far, deflate is used by far fewer server and produce slightly worse compression.

    Someone mentioned Transfer-Encoding being similar to this. That’s not true. Transfer-Encoding allows “chunked” transfer, that is transferring partial content whenever it becomes available instead of waiting for the entire content to be fully generated (especially for dynamically generated page). This results in faster visual cue response as browsers can start rendering earlier.

  3. Thanks for the short and sweet introduction.

  4. Obsfucation is like a lock on your house door – it is just a mild deterrent.

    If somebody really wants to get into your house they will just break a window, or kick your door through.

    Now – who here doesn’t have a lock on their door???

    That’s a wrong analogy.

    Obfuscation is like painting a lock on your door, hoping that it would fool would-be thieves. Real security is placing a real lock on your door.

  5. The analogy of putting a lock on your door is 100% correct. No one believes obfuscation is foolproof, but it’s enough to deter all but the most dedicated people from stealing your code.

    There are a lot of comments here indicating that a website shouldn’t be based on javascript, or that all code should be served up un-obfuscated and un-minified. Let’s see, by that reasoning, since no server is 100% secure, all of your server-side code should be freely available too. In fact all software worldwide should have freely available source code.

    That’s a great approach for cheapskates, open-source evangelists, students, and others with no intellectual property of their own. But good luck running your business that way.

  6. > No one believes obfuscation is foolproof,
    > but it’s enough to deter all but the most
    > dedicated people from stealing your code.

    The most dedicated people are the only ones you have to worry about.

  7. There are a lot of comments here indicating that a website shouldn’t be based on javascript, or that all code should be served up un-obfuscated and un-minified. [...]
    That’s a great approach for cheapskates, open-source evangelists, students, and others with no intellectual property of their own. But good luck running your business that way.

    Now that’s certainly a big leap from what I gleaned off here, but that’s okay.

    It might help to point out this explicitly: minifiers and obfuscators are tools designed for two entirely different purposes. That they /may/ share some common behavioural treats is, well, a bit of an accident, really: what is easy to grok by machine is quite often hard to grok by human, and vice versa (consider these prime examples: (1) machine code (can you ‘read’ byte code EB 34 90 ? Your computers can, and bloody quickly too), and (2) natural language processing (still a darn tough job for computers, no matter the huge amount of extreme-IQ ingenuity we’ve been throwing at it for decades now, while your 3-year old kid will need no help whatsoever but a couple of crayons when you say “can you draw a happy family for me, please?”)

    minifiers are designed with the intent to speed up the subsequent process for machines: faster transmission, faster parsing, thus faster rendering of the pages served, which will help cutting down annoyance levels in web site visitors, among other things.

    obfuscators are created to make the stuff at hand hard to read for humans, while not increasing the difficulty level for machines by much; one of the ways such can be attempted is making it more ‘machine-readable’ as that (often) implicitly makes it harder for humans to read, and, thus they peruse some of the same mechanisms that a minifier does.
    I’d say that’s a similarity in implementation, rather than motive, and that’s the bit that may not be exactly all that glaringly visible in the original essay.

    I wholeheartedly agree with the no-security-through-obscurity argument. Furthermore, if you are deeply worried your IP (Intellectual Property) is grab-and-carry ready for Joe Avg. Burglar, then obfuscation is a very low grade security solution – I feel a different word would be fitting here, but let’s rephrase and say such that perceiving obfuscation as a solution would be, ah, ‘inconsiderate of your true [IP protection] needs’. P.T. Barnum would agree, I’m sure. ;-)

    Minifiers are a very useful tool and by now it should be clear that you can (and should) use them for purposes which do not touch your IP concerns. Heck, they’re environmentally friendly too: less to transfer == less electricity spent, less to parse == less heat dissipated, shorter waiting times == less frustration too.

    Obfuscators are cute but only serve as a valuable solution when your target audience is not very, ah, savvy.

    The only time I used obfuscator technology to good effect was when I was distributing Full Solution diskettes for all programming tasks when I was studying to become a Mech.Eng. – comment stripping, variable renaming and a bit of code reflowing was enough to thwart the plagiarism detection lobe of the man who checked and rated students’ submitted work. (Where was the money, or how did I protect my IP? It was not in the code (which was free), it was in the /service/: diskette to be had at cost, I don’t care who copies it; however, explanation and education about what you just copied required equal worth exchange, money or otherwise. The ones that didn’t need my service, didn’t need my diskette either, and if they did rip it, I knew from previous experience (at primary school) that those would then turn themselves into customers of my service in the long run anyway.

    Almost 2 decades in the IT biz now, I’ve sat at both ends of the obfuscation machine, and I always find it is not useful, unless you know your adversaries to be sub-par. And when they actually are, as in my real-life example above, spending serious time on obfuscation [tooling] is a waste anyway. The world is a bit bigger than that one man who presides over your pass-or-fail judgement at school.

    Minification, on the other hand, is a quite helpful solution/tool for several real-world problems a lot of folks have: transmission bandwidth issues and a need to reduce end-to-end response time. And I’m happy to see that it has enough impact to significantly aid pretty good compression algorithms that serve as another partial solution of these. That is, IMHO, the most valuable observation here.

    But then again, I admit to being a Mech.Eng. by formal education but having repeatedly used perfectly good screwdrivers as crowbars, chisels, hammers, can-openers, even as spark-testers, when the right tools were somehow absent from my FOV and all I had was a big, mean, screwdriver and a 23 chromosome-pairs carrying deadline breathing down my neck.

  8. :’-( No edit function: scratch ‘such’ in
    but let’s rephrase and say such that above.

  9. Almost 2 decades in the IT biz now, I’ve sat at both ends of the obfuscation machine, and I always find it is not useful, unless you know your adversaries to be sub-par. And when they actually are, as in my real-life example above, spending serious time on obfuscation [tooling] is a waste anyway. The world is a bit bigger than that one man who presides over your pass-or-fail judgement at school.

    Minification, on the other hand, is a quite helpful solution/tool for several real-world problems a lot of folks have: transmission bandwidth issues and a need to reduce end-to-end response time. And I’m happy to see that it has enough impact to significantly aid pretty good compression algorithms that serve as another partial solution of these. That is, IMHO, the most valuable observation here.

    But then again, I admit to being a Mech.Eng. by formal education but having repeatedly used perfectly good screwdrivers as crowbars, chisels, hammers, can-openers, even as spark-testers, when the right tools were somehow absent from my FOV and all I had was a big, mean, screwdriver and a 23 chromosome-pairs carrying deadline breathing down my neck.

  10. If you don’t want people to see your code… do it on the server side…