[oxylibrium]

Pop open developer tools - Gmail's JavaScript is heavily obfuscated, not just minified. (I think it's a custom, self-modifying VM that's written in JavaScript, and it fetches pieces of itself over the network, like ReCAPTCHA).

This "DRM" plays at least some role in making the optimizers in V8 work a lot harder to get anything reasonable out of the spaghetti.

Why Google needs DRM for a web email app? Beyond me.

[bool3max]

They're too embarrassed of all the shit code they've written that makes the app slow - so they obfuscate it to try to hide how shit it is - and it turn it becomes even slower ;)

[v8dev123]

>> Why Google needs DRM for a web email app?

The reason we use such tactics is to increasing barrier of reverse engineering because our teams value their work. Some people claim that security through obscurity is bad. I challenge this view. I claim that every security defense such as RSA is a obscurity.

It's a matter of time until RSA breaks in the same way as Obfuscation does.

Gmail is not your let's make it weekend kind of app. It's highly sophisticated and deliver huge value.

There are lot of people who hate Obfuscation. Some are communists and others are attackers.

My wife (she works in the fraud detection department) found an interesting attacker who masqueraded as a security researcher and student of X University, but in fact he was a a criminal scum. He has reverse engineered anti-fraud scripts of many websites and published them on Github for everyone to see. His main goal was to attract malicious buyers and sell them scripts that bypass this protection. It was one of the heck of marketing.

Brian Krebs also had similar story on his blog.

[oxylibrium]

I'll bite.

First, encryption is not "obscurity" in the same way you think DRM is.

Second, several other email providers don't think they need to rely on some performance-killing DRM to "protect" their web app (oh no, what of all the value!).

Outlook has a part of their files minified, but doesn't use any obfuscation; apps like ProtonMail[0] and Tutanota[1] are even open source.

(I'm actually starting to migrate off of Gmail to Protonmail myself.)

[0]: https://github.com/ProtonMail/proton-mail/ (the new site, on beta.protonmail.com) [1]: https://github.com/tutao/tutanota

Oh, and there's no need to call people "communists", "attackers", or "criminal scum". Be civil.

[v8dev123]

Encryption is "obscurity". For example, Quantum computers will break RSA.

> Quantum computers will break RSA

Now here it will take X amount of time so is breaking any protection like DRM.

The goal of any security method is increasing attack time.

TLS got attacked, SSL got attacked. History repeats itself. Period.

> Oh, and there's no need to call people "communists", "attackers", or "criminal scum". Be civil.

Why? I have a right to use these terms. What should I use instead?

Would you call Osama Bin Laden as "His Highness Bin Laden"?

The words exists for reason. I use them in appropriate context.

People don't understand Russian soul. I'm very direct and speak my mind!

>> Second, several other email providers don't think they need to rely on some performance-killing DRM to "protect" their web app (oh no, what of all the value!).

>> Outlook has a part of their files minified, but doesn't use any obfuscation; apps like ProtonMail[0] and Tutanota[1] are even open source.

So? What's your point?

You have Linux which is Open Source and you have Windows (A lot of parts including their licencing is obfuscated)

The performance hit is minimal. ProtonMail & Tutanota are way slower than GMail and lack cutting edge features we offer.

Gmail vs Outlook is like Ferrari vs Toyota.

Gmail has great UX even my grandmother can use it.

[emn13]

The point is that nobody relevant is going to get stopped by this DRM. That's because nobody relevant is likely to even try copying it in the first place, and if an economically relevant party were so unwise, I expect google's legal resources are sufficient to discourage plain copying, even if a court case is never won. They might learn some tricks sure, but the chances of gmail's client side bits doing anything that novel that's also competetively important are slim to none. (And if there really is some kind of secret sauce that needs protecting, relying on DRM seems quite... optimistic. Finally, we're only talking front-end here, not backend; and surely that's at least as important a part of the value proposition here.

While there may be a case for DRM in some places, gmail is almost certainly not it.

[v8dev123]

>> I expect google's legal resources are sufficient to discourage plain copying, even if a court case is never won.

Attackers don't care about laws. All they care about their end goal.

You have fraudsters who game the AdWords, reCaptcha etc

Gmail is a strategic tool.

>> the chances of gmail's client side bits doing anything that novel that's also competetively important are slim to none

You are underestimating value of Gmail product. I'm not allowed to share what kind of value the client side has but it certainly does.

>> While there may be a case for DRM in some places, gmail is almost certainly not it.

Again, you are underestimating value Gmail provides to consumers.

This country is a democracy. Companies can obfuscate or de obfuscate code at their wish whether there is value or not.

Privacy people can use Privacy oriented tools or go build their own seriously.

DRM is a billion dollar industry!

[emn13]

How exactly is a post-logged-in-app obfuscation supposed to be relevant to fraudsters that game the AdWords and reCaptcha etc?

Obviously people and corporations can choose to obfuscate; their prerogative. Doesn't mean it's effective nor wise in every instance, though, does it? Gmail is entirely free to waste effort and make its app slower and less (easily) maintainable, no question there.

[oxylibrium]

> The performance hit is minimal.

I'll bite once again - from personal experience, I knew Gmail is slower than ProtonMail, but I tested it anyway. I loaded both Gmail and ProtonMail, using the browser's profiler. Gmail spent 6x the time ProtonMail did in the garbage collector, and 2x the time ProtonMail spent in the JIT compiler.

DRM is a contributor to that.

[v8dev123]

6x is minimal for me considering how complex Gmail is. It's not that slow. I can use it quickly and get up running and it's okay for anyone unless you're a person who is not patient for few seconds.

You always have the option for loading "Basic HTML" and you can get Protonmail or Toyota like experience there ;)

I don't know what's your agenda really is. Attacking DRMs are bad.

You have issues like spammers abusing Gmail interface to send emails using Google IPs and there DRM rocks.

[manigandham]

It's just a webapp for email. There are hundreds of them. There's nothing special about it to hide in the first place.

[v8dev123]

> It's just a webapp

That's it. You're underestimating hard work.

Try to create a full Gmail clone over weekend.