Obfuscation, in simple terms, is the process of making code, information, or online activity difficult to read, understand, or detect in the first place.
The intended goal of this practice is to hide sensitive data from people you don't want to see it. In general, online obfuscation takes one of three different forms: Data obfuscation, code obfuscation, and network obfuscation.
What Are the Different Types of Obfuscation?
The first, and likely most common type of obfuscation online, is data obfuscation. "Data" is a broad term that encompasses a massive amount of information transmitted online. Data obfuscation is the act of obscuring the actual bits and bytes using techniques like encryption, tokenization, and data masking.
Encryption
Encryption is meant to secure the contents of your data, even if a hacker or bad actor manages to steal it. Imagine sending a package with an unbreakable lock; even if a hacker intercepts it in transit, they still won't be able to view what's inside, thanks to the encryption's obfuscation.
Encryption is all about protecting Personally Identifiable Information, or PII. When data is encrypted, it's hidden behind a wall of complex cryptographic math known as a "cipher". If the sending and receiving parties have the correct keys for the cipher, decrypting the data in an encrypted transmission is a breeze.
But without the key, a hacker would need to try every possible permutation of the key in a cipher to gain access. For example, if your connection is encrypted with AES-256, that means a computer looking for more possible solutions than there are atoms in the observable universe.
Encryption is everywhere in our online lives, from the small padlock icon you see in your web browser's URL bar to the metaphorical armed guards standing outside our online banking system to keep accounts safe.
Tokenization
Next up is tokenization. Tokenization replaces sensitive data with a unique, non-sensitive placeholder called a "token." The original, sensitive data is stored separately, in a secure "vault" of sorts. Applications use only the token, reducing exposure of the original information.
For example, while an online or retail store gathers your full credit card information to authorize a transaction, the store uses a token (like Customer_456_Card) to charge you, while the full card number is kept safe in a secure payment vault separate from the main website.
Code Obfuscation
Code obfuscation is more commonly seen as the "how" of the security and privacy equation, guarding the secrets of how the software that protects our personal information actually works. If encryption is made to protect information in transit or while it's being stored on a secure drive, code obfuscation is the process that keeps the operating system you're using to access the encrypted hard drive safe from outside attacks.
When obfuscating code, developers will use a range of technologies and techniques to throw hackers off the scent. These include:
- Renaming: Changing all the logical variable and function names (like ProcessPayment()) into meaningless, short names like a(), b(), x1()).
- Control Flow Obfuscation: This process involves breaking up the program's logic. Imagine taking a simple 1-2-3-4 set of instructions, chopping it up, and adding a bunch of "jump" commands so the code runs as 3-1-4-2. It still works, but it's nearly impossible to follow.
- Junk Code: A tactic nearly as old as coding itself, junk code misdirects are designed to send hackers into traps and loops. By placing in code that looks like a lead, but goes nowhere, programmers can protect the core of their codebase using a language only they or their collaborators would fully understand.
Code obfuscation is often used to protect intellectual property (IP), prevent piracy, guard against malware detection, or hide anti-cheat logic. But it isn't bulletproof, and an analyst can often eventually reverse-engineer obfuscated code with enough time and patience.
Network Obfuscation
Last up is network obfuscation, which can hide the "what" of what you're doing online. This is less common than the other two, but it's still a useful technique to ensure you control every aspect of your data from the moment it comes into or leaves any device you use daily.
When accessing the internet in regions or on services that use Deep Packet Inspection (DPI) to determine the content of your connection, VPNs are easily detectable because of specific signatures in their traffic patterns.
Stealth Virtual Private Networks (VPNs) are made to obfuscate not only the data you transmit and receive over the VPN network, but also the fact that you're using a VPN in the first place. Firewalls meant to detect unauthorized VPN tunnels will see Stealth VPN connections as innocuous HTTPS traffic, the same used to access most of the web at large.
However, Stealth VPNs usually trade security for performance and will be slower than a standard VPN connection. If you're streaming or gaming and don't need the added layer of privacy and obfuscation, it's recommended to avoid Stealth VPN offerings.
Conclusion
Obfuscation is a necessary, critical component of keeping the internet safe from malicious actors and activities. Without encryption, code obfuscation, or network obfuscation, much of the information security and freedom we rely on in the web economy wouldn't be possible today.
For as many hackers out there who want to try to steal your most personal secrets, there's an army of mathematicians, cryptographers, and researchers out there who are dedicated to keeping them safe. Obfuscation is the art and science that makes it all possible on the internet as we know it today.