Javascript Decrypt Files without Clients Being Able to Access

Question

I want to use model-viewer or three.js to showcase some of my 3d models on a personal website. In order to display 3d models on the web, the client needs to fetch the files from the server (the 3d mesh and the texture images)

But I don't want my visitors being able to access any of these files. I hope you can point me in the right direction. Here are some ideas I had, but I don't think they'll work:

(1) Using something like crypto-js to encrypt and decrypt files

• But when decrypting files on the frontend aren't users able to decrypt the files, too?
• The key has to be transferred to the frontend code somehow, doesn't it?

(2) Splitting the files up into little pieces and recomposing them on the client

• Same issue as with #1
• The code for recomposition needs to sit on the client and can be used to access the files

---

When elaborating on those ideas, I am not quite sure if what I am trying to do is even possible 🤔

In case it is impossible... is there anything I can do to make it really hard for users to get access to the files?

Answer 1

The short answer is: If it is on a website, you don't stand a chance to protect it against a determined person with enough time on their hands. The only exception here was made for video-streams, which can use the 'Encrypted Media Extensions' API to get video to the screen without any parts of the browser being able to interact with raw data.

Whatever you do to protect the files, the code to read them needs to be sent to the browser as well. Eventually, the raw data will be somewhere in the memory of the js-runtime where it can be extracted using the built-in debugger. The same goes for any mechanism to somehow encrypt the code. It makes it more difficult, but not impossible. You could use WebAssembly to make that part of the code even harder to reverse-engineer, but I wouldn't need to do that:

In the end, the data needs to get to the webgl-api, so I could just use a browser-extension to intercept the relevant webgl-calls and obtain all the raw data there. You could go on and also encrypt the vertex-data in a way that can be decoded in the vertex-shader, but guess what: I can read the vertex-shader code as well.

And so the list goes on. There just is just no way to do it that cannot be somehow circumvented. But maybe you make it difficult enough for nobody to bother...

For me the most promising options seem to be:

• use LoFi or partial models for rendering in the browser alongside renders of the full-resolution model. I've seen that on several sites for downloading CAD-/3D-models. They used merged models, sometimes reduced vertex-count, low-res textures and so on while providing images of what the final result will look like once I paid for it.

• make up your own file-format or hide the file-format used in the network-view of the developer-tools. Google maps/earth for instance does that with their 3d-data (they are probably using something based on protobuf, but it's incredibly hard to reverse-engineer)

• and yes, I guess you could also use the WebCrypto-API with a pre-shared secret so it is at least not too obvious which of the files contain the 3d-data.