I am thinking about selling Magento modules on my website and need your advise what would be the best way to do it.
Here is what I thought:
Install Magento store on my website
When client purchase the module from my store - he is required to enter his domain name
If order is successfully processed and payment is received - Magento or standalone script encode purchased module using ionCube or Zend Guard "On-The-Fly" and generates license to work on provided domain name only.
Is there a script that can do all of this? Or should I write my own code? What do you think about encoding scripts in order to protect your work?
Any thoughts and suggestions are welcome.
Thanks
This is really a matter of opinion and debat-able, however below is my feeling towards such:
Disadvantages of encrypting your code:
Obviously: It is (almost) impossible to modify or extend for custom
needs, without having to contact the original developer which adds
more cost to your end user as well as causing more time for “custom”
development.
3rd party server software like Zend Optimizer is needed
in order to execute the encrypted code. Which can be a headache by
itself.
Confusion during transfer for binary and text data, ultimately
corrupting your binary encrypted data.
It is impossible to have others
contribute to your code to improve it, and/or help with bug finding
and fixes.
As a store owner or maintainer I’m less confident you are
not utilizing any of my data collected from my stores.
Maintenance
becomes chaotic. Having to re-encrypt every release, can be quite
pain staking. This is especially true if you have a bug fix that
needs to be offered to all of your customers using it – however, the
ones with “Custom” versions will require re-encryption for all.
Unless your using some kind of release management that handles this
automatically for you. Most don’t I’m sure.
Full article: http://www.molotovbliss.com/magento-module-developers-stop-encrypting-and-domain-jailing
With that said, I've changed my mind on phone home calls. Since I've posted this article.
I'm okay with modules making phone calls home to a developers site to check for licensing, if you have a simple observer that did such and was done properly (By properly I mean don't break my site because your phone home server is down, and don't make my end users wait for the validation), I wouldn't see any problem with obfuscating this portion of code as long as it didn't interfere with the modules overall functionality, i.e., it is strictly there for checking a license, no module functionality encrypted. I believe Boris (unigry) does such and works well, even though I've had to jump through many hoops at times to get ionCube loader working on different environments, so this still something to consider not doing, and just having hope in peoples integrity and honesty to not pirate.
With that said, domain wide acceptance should be standard, I shouldn't need to send in support requests to get my subdomain added to your white list of domains. Personally if you can obfuscate and encode without the need of an apache/php module is a huge plus. General end users won't know where to remove such code at times.
To answer your question, a home brew script and process would be ideal, as using a cookie cutter solution would be easier to reverse engineer.
Related
First of all, I'm not looking for miracle... I know how PHP works and that there's not really way to hide my code from the clients without using encryption. But that comes with the cost of an extension to be installed on the running server.
I'm looking for something different though... I'm not looking to encrypt my code or even obfuscate it. There are many PHP scripts without encrypted/obfuscated code but they are commercial applications. For instance, vBulletin and/or IP.Board forum applications.
I just want to know what approach do these guys use for their applications...
I'm also open to any other suggestions.
Please note that I'm a single person and not working for a company. My product is also very specific, it won't sell that much. I just want you guys to know that I can't afford to consult a legal professional either to sue someone or prepare a commercial license. I'm just looking for a simple way to protect my simple product, if it's indeed possible, somehow...
Obfuscating things can only inconvenience your legitimate, law-abiding customers, while the people who would would rip you off are not your target paying customers anyway. (edited out other thoughts about obfuscation)
Another suggestion for protecting your software: create a business model in which the code is an incomplete part of the value of your offering. For example, sell product licenses along with access to some data you manage on your site, or license the product on a subscription model or with customer support.
Designing a EULA is a legal matter, not a coding matter. You can start by reading some EULA text for products and websites you use. You might find some interesting details!
Creating a proprietary license is is highly flexible, and probably a subject beyond the intended scope of StackOverflow, since it's not strictly about coding.
Some parts of a EULA that come to mind:
Limiting your liability if the product has bugs or causes damage.
Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
Giving you rights to audit their site, so you can enforce the licenses.
What happens if they violate the EULA, e.g. they lose their privilege to use your software.
You should consult a legal professional to prepare a commercial EULA.
edit: If this project can't justify the expense of a lawyer, check out these resources:
"EULA advice" on joelonsoftware
"How to Write an End User License Agreement"
You need to consider your objectives:
1) Are you trying to prevent people from reading/modifying your code? If yes, you'll need an obfuscation/encryption tool. I've used Zend Guard with good success.
2) Are you trying to prevent unauthorized redistribution of your code?? A EULA/proprietary license will give you the legal power to prevent that, but won't actually stop it. An key/activation scheme will allow you to actively monitor usage, but can be removed unless you also encrypt your code. Zend Guard also has capabilities to lock a particular script to a particular customer machine and/or create time limited versions of the code if that's what you want to do.
I'm not familiar with vBulletin and the like, but they'd either need to encrypt/obfuscate or trust their users to do the right thing. In the latter case they have the protection of having a EULA which prohibits the behaviors they find undesirable, and the legal system to back up breaches of the EULA.
If you're not prepared/able to take legal action to protect your software and you don't want to encrypt/obfuscate, your options are a) Release it with a EULA so you're have a legal option if you ever need it and hope for the best, or b) consider whether an open source license might be more appropriate and just allow redistribution.
I have not looked at the VBulletin source code in some time, but the way they used to do it around 2003 was to embed a call to their server inside the code. IIRC, it was on a really long code line (like 200-300+ chars long) and was broken up over several string concatenations and such.
It did nothing "bad" if you pirated it - the forum still worked 100%. But your server's IP was logged along with other info and they used that to investigate and take legal action.
Your license number was embedded in this call, so they could easily track how many IPs/websites a given licensed copy was running on.
If you can't create a "cloud app" that you host yourself and they access via the Web, then you could look into creating a virtual appliance using a virtual server (from VMWare, Parallels, Sun, etc) and install a "lite" version of Linux on that. Put your PHP code in the virtual environment and install the virtual machine on their server. Make sure to create a way to prevent loading into root. Of course, this would involve physically visiting the client yourself.
They distribute their software under a proprietary license. The law protects their rights and prevents their customers from redistributing the source, though there is no actual difficulty doing so.
But as you might be well aware, copyright infringement (piracy) of software products is a pretty common phenomenon.
The only way to really protect your php-applications from other, is to not share the source code. If you post you code somewhere online, or send it to you customers by some medium, other people than you have access to the code.
You could add an unique watermark to every single copy of your code. That way you can trace leaks back to a singe customer. (But will that help you, since the code already are outside of your control?)
Most code I see comes with a licence and maybe a warranty. A line at the top of the script telling people not to alter the script, will maybe be enought. Self; when I find non-open source code, I won't use it in my projects. Maybe I'm a bit dupe, but I expect ppl not to use my none-OSS code!
in my opinion is, but just in case if your php code program is written for standalone model... best solutions is c) You could wrap the php in a container like Phalanger (.NET). as everyone knows it's bind tightly to the system especially if your program is intended for windows users. you just can make your own protection algorithm in windows programming language like .NET/VB/C# or whatever you know in .NET prog.lang.family sets.
Zend Guard does not support php 5.5 and is easy to reverse, go for http://www.ioncube.com for obfuscation. http://wwww.phplicengine.com can license the scripts remotely or locally.
See our SD PHP Obfuscator. Handles huge systems of PHP files. No runtime requirements on PHP server. No extra runtime overhead.
[EDIT May 2016] A recent answer noted that Zend does not handle PHP5.5. The SD PHP Obfuscator does.
I have created a library for this purpose. It uses OPCache only, in order to covert php to op codes. The library compiles your PHP code to opcodes and removes code from all php files included in your project. All produced opcode files are saved on the server's filesystem and used by OPcache!
https://github.com/notihnio/php-cactus
So let me see, we want to show adam and eve there's some forbidden fruit in a tree, adn we 'd like a way to prevent them from eating...
How about having an angel with a flaming sword?
Might sound naive, and I dunno what your application does actually, but what about the extensive use of includes?
For the legitimate user, is all the software that should be visible or only parts of it?
Because you could obfuscate and give a copy of source code to legitimate
You could wrap the php in a container like Phalanger (.NET)
Perhaps your concerned with external theft, meaning your code freely visible over the web as customers uses it. This could be worth investing in a cheap web site hosting, for $50 a year, registering your legit customers with a serial in their code and have your app posting info to your web site regularly. At least, you'd detect when code has been compromised. You could push it with a self destruct after n days, giving you enough time to contact your customer and change the serial. This could be the only obfuscated include() of the whole code
If you want to implement licensing module in downloadable php application that need:
to allow application to run only on specified domain(s)
to be impossible to remove or go around
to work without Zend Optimizer or Ioncube loader (i.e. without encoding whole application)
what you think is best way to do it? If encoder is needed, do you see solution that encoding is used only for licensing module related logic i.e. allowing application to be altered without compromising licensing?
Cheers
Anti-copy schemes just don't work. See numerous previous posts on this site & elsewhere.
You cannot stop people from copying your code.
You could, I supose obfuscate it, mkaing it very difficult for them to change. And, maybe buried in there (or as a necessary .exe, without whcih your code won't function0, you could 'phone home and gradually build a database of IP addresses that are using your code - although I am not sure what that would get you.
Give up on the idea, plan to erly on lawyers if necessary, and put your efforts into developing your product.
I have taken advantage of the latest version of PHP 5.6 which has some new features that can be leveraged in to a licensing and distribution trialware. You can now distribute password protected files and demo applications.
Since there are some best practices to doing this correctly. I am distributing a demonstration website application showing how to setup your apps so they can be launched and checked in real-time for licenses codes just like a desktop application. As a matter of fact the protection extends to the desktop. I am selling the initial code to developers via binpress.com at fhqk.binpress.com. The online demo is http://fhqk.com/informationtechnology/ssl (Simple Secure Licensing)
For the past three months I've been working for an Indian NGO, doing some volunteer work in the field but also trying to improve their website, which needs a ton of work. Recently I've been trying to fix the "subscribe to newsletter" button, which is broken. I used filter_var to filter the email input, but when I tried to test this out I got an error. Then I learned that the web host is still using php version 4.3.2 and register_globals is turned on.
I've mentioned that they should upgrade their web host before. That would add a lot of complexity for the IT staff of 3, who would have to update everyone's email information (I assume? this is a 250-person organization), and have me find a new web host and teach them about it. The staff isn't that sophisticated about web usage - the head guy still uses IE6, and the website's laid out in tables (they use Dreamweaver WYSIWYG to lay out pages).
So I've got two options - use regular expressions to filter the email, which I'm not that skilled at doing (and would be more vulnerable to exploitation after I leave), turn off register globals and then try to teach the staff what I'm doing, or try to get them to upgrade their versions of PHP and MySQL and/or change web host. I'd appreciate some advice.
Thanks for your help,
Kevin
First, I'd make the application run properly and as safely as possible in that environment, with regexes if necessary.
Then, I'd talk to the IT people. They need to upgrade their web package at some point and that point is already long past. PHP 4.3.2 is out and not supported any more at all (see here). That means that if a vulnerability is detected, it's not guaranteed to get a fix (altough it's still pretty likely due to the number of hosts not having switched yet).
Better do the switch now than later.
It's not really clear from your description how the people in the organization use E-Mail (do they have their own mail clients? Do they use web mail) but if they use their own mail clients, the "only" issue will be moving the mailboxes to a new host.
While that may take a few painful days to move all the mailboxes and redirects, and get everything running - including setting up everybody's workplace with the new data - it is not impossible to do, and will hardly add any long-term strain.
What I would do :
- fix your main issue asap : parse the email using a regexp, you can find some quite easily with google
- Discuss with the team about upgrading/migrating your host. Fixing the email problem first is allowing you to take your time in this matter.
I won't turn off register globals, because you might face many more problems on the other pages of the website. But this can remain in your 'todo list' as it would be a good update.
If security is a real big deal, then you need to introduce a layer to tackle intrusion. There are a few options in PHP land, but they all seem to require >5.1.4. Therefore I'd look at maybe installing mod_security if the web server layer is running apache. That way your application will be protected not just from POST injections, but GET injections and COOKIE exploitations as well. Secondly it'll future proof the application if next week they add another form to it without your knowledge.
It does sound though as if you've got your hands tied, and I'll be honest with you, if the company holds, or intends to hold any personal information about their users, or sensitive information about the company in an area accessible by the application, security is not a series of hacks or hotfixes, it's a serious commitment to a graceful and correct solution.
Best of luck.
The standard regex to check for RFC822 compliance is VERY ugly:
/^(?:[A-Za-z0-9!#$%&\'*+\/=?^_`{|}~-]+(?:\.[A-Za-z0-9!#$%&\'*+\/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")#(?:(?:[A-Za-z0-9](?:[A-Za-z0-9-]*[A-Za-z0-9])?\.)+[A-Za-z0-9](?:[A-Za-z0-9-]*[A-Za-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[A-Za-z0-9-]*[A-Za-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])$/
from http://www.regular-expressions.info/email.html (hopefully it cut/pasted ok).
But implementing this will just delay your pain. A webhost still living in the register_globals = on days should be dumped as soon as possible. It's just begging to be subverted.
It is pretty standard practice now for desktop applications to be self-updating. On the Mac, every non-Apple program that uses Sparkle in my book is an instant win. For Windows developers, this has already been discussed at length. I have not yet found information on self-updating web applications, and I hope you can help.
I am building a web application that is meant to be installed like Wordpress or Drupal - unzip it in a directory, hit some install page, and it's ready to go. In order to have broad server compatibility, I've been asked to use PHP and MySQL -- is that **MP? In any event, it has to be broadly cross-platform. For context, this is basically a unified web messaging application for small businesses. It's not another CMS platform, think webmail.
I want to know about self-updating web applications. First of all, (1) is this a bad idea? As of Wordpress 2.7 the automatic update is a single button, which seems easy, and yet I can imagine so many ways this could go terribly, terribly wrong. Also, isn't the idea that the web files are writable by the web process a security hole?
(2) Is it worth the development time? There are probably millions of WP installs in the world, so it's probably worth the time it took the WP team to make it easy, saving millions of man hours worldwide. I can only imagine a few thousand installs of my software -- is building self-upgrade worth the time investment, or can I assume that users sophisticated enough to download and install web software in the first place could go through an upgrade checklist?
If it's not a security disaster or waste of time, then (3) I'm looking for suggestions from anyone who has done it before. Do you keep a version table in your database? How do you manage DB upgrades? What method do you use for rolling back a partial upgrade in the context of a self-updating web application? Did using an ORM layer make it easier or harder? Do you keep a delta of version changes or do you just blow out the whole thing every time?
I appreciate your thoughts on this.
Frankly, it really does depend on your userbase. There are tons of PHP applications that don't automatically upgrade themselves. Their users are either technical enough to handle the upgrade process, or just don't upgrade.
I purpose two steps:
1) Seriously ask yourself what your users are likely to really need. Will self-updating provide enough of a boost to adoption to justify the additional work? If you're confident the answer is yes, just do it.
Since you're asking here, I'd guess that you don't know yet. In that case, I purpose step 2:
2) Release version 1.0 without the feature. Wait for user feedback. Your users may immediately cry for a simpler upgrade process, in which case you should prioritize it. Alternately, you may find that your users are much more concerned with some other feature.
Guessing at what your users want without asking them is a good way to waste a lot of development time on things people don't actually need.
I've been thinking about this lately in regards to database schema changes. At the moment I'm digging into WordPress to see how they've handled database changes between revisions. Here's what I've found so far:
$wp_db_version is loaded from wp-includes/version.php. This variable corresponds to a Subversion revision number, and is updated when wp-admin/includes/schema.php is changed. (Possibly through a hook? I'm not sure.) When wp-admin/admin.php is loaded, the WordPress option named db_version is read from the database. If this number is not equal to $wp_db_version, wp-admin/upgrade.php is loaded.
wp-admin/includes/upgrade.php includes a function called dbDelta(). dbDelta() scans $wp_queries (a string of SQL queries that will create the most recent database schema from scratch) and compares it to the schema in the database, altering the tables as necessary so that the schema is brought up-to-date.
upgrade.php then runs a function called upgrade_all() which runs specific upgrade_NNN() functions if $wp_db_version is less than target values. (ie. upgrade_250(), the WordPress 2.5.0 upgrade, will be run if the database version is less than 7499.) Each of these functions run their own data migration and population procedures, some of which are called during the initial database setup script. Nicely cuts down on duplicate code.
So, that's one way to do it.
Yes it would be a security feature if PHP went and overwrote its files from some place on the internet with no warning. There's no guarantee that the server is connecting correctly to your update server (it might download someone code crafted by someone else if DNS poisoning occured) - giving someone else access to your client's data. Therefore digital signing would be important.
The user could control updates by setting permissions on the web directory so that PHP only has read access to the files - this procedure could simply be documented with your program.
One question remains (I really don't know the answer to): can PHP overwrite files if it's currently using them (e.g. if the update.php file itself needed to be updated)? Worth testing.
I suppose you've already ruled this out, but you could host it as a service. (Think wordpress.com)
I'd suggest that you package your application with pear and set up a channel. Your users can then upgrade the application through a standard interface (pear). It's not entirely automatic (unless the users have some kind of automation running on top of pear), but it's standard, so any sysadmin can maintain it.
I think your best option is an update checking mechanism that will alert the administrator when there are update(s).
As you mention, there are a number of potential security problems. Due to those alone, I would suggest not doing this. Instead, try creating a fairly smart upgrading script.
Just my 2 cents: I'd consider an automatically self updating application within my CMS as a security hole, so if you decide to code this feature, you should consider to implement different levels of this behavior:
Automatically update
Check for updates and notify
Disable
First of all, I'm not looking for miracle... I know how PHP works and that there's not really way to hide my code from the clients without using encryption. But that comes with the cost of an extension to be installed on the running server.
I'm looking for something different though... I'm not looking to encrypt my code or even obfuscate it. There are many PHP scripts without encrypted/obfuscated code but they are commercial applications. For instance, vBulletin and/or IP.Board forum applications.
I just want to know what approach do these guys use for their applications...
I'm also open to any other suggestions.
Please note that I'm a single person and not working for a company. My product is also very specific, it won't sell that much. I just want you guys to know that I can't afford to consult a legal professional either to sue someone or prepare a commercial license. I'm just looking for a simple way to protect my simple product, if it's indeed possible, somehow...
Obfuscating things can only inconvenience your legitimate, law-abiding customers, while the people who would would rip you off are not your target paying customers anyway. (edited out other thoughts about obfuscation)
Another suggestion for protecting your software: create a business model in which the code is an incomplete part of the value of your offering. For example, sell product licenses along with access to some data you manage on your site, or license the product on a subscription model or with customer support.
Designing a EULA is a legal matter, not a coding matter. You can start by reading some EULA text for products and websites you use. You might find some interesting details!
Creating a proprietary license is is highly flexible, and probably a subject beyond the intended scope of StackOverflow, since it's not strictly about coding.
Some parts of a EULA that come to mind:
Limiting your liability if the product has bugs or causes damage.
Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
Giving you rights to audit their site, so you can enforce the licenses.
What happens if they violate the EULA, e.g. they lose their privilege to use your software.
You should consult a legal professional to prepare a commercial EULA.
edit: If this project can't justify the expense of a lawyer, check out these resources:
"EULA advice" on joelonsoftware
"How to Write an End User License Agreement"
You need to consider your objectives:
1) Are you trying to prevent people from reading/modifying your code? If yes, you'll need an obfuscation/encryption tool. I've used Zend Guard with good success.
2) Are you trying to prevent unauthorized redistribution of your code?? A EULA/proprietary license will give you the legal power to prevent that, but won't actually stop it. An key/activation scheme will allow you to actively monitor usage, but can be removed unless you also encrypt your code. Zend Guard also has capabilities to lock a particular script to a particular customer machine and/or create time limited versions of the code if that's what you want to do.
I'm not familiar with vBulletin and the like, but they'd either need to encrypt/obfuscate or trust their users to do the right thing. In the latter case they have the protection of having a EULA which prohibits the behaviors they find undesirable, and the legal system to back up breaches of the EULA.
If you're not prepared/able to take legal action to protect your software and you don't want to encrypt/obfuscate, your options are a) Release it with a EULA so you're have a legal option if you ever need it and hope for the best, or b) consider whether an open source license might be more appropriate and just allow redistribution.
I have not looked at the VBulletin source code in some time, but the way they used to do it around 2003 was to embed a call to their server inside the code. IIRC, it was on a really long code line (like 200-300+ chars long) and was broken up over several string concatenations and such.
It did nothing "bad" if you pirated it - the forum still worked 100%. But your server's IP was logged along with other info and they used that to investigate and take legal action.
Your license number was embedded in this call, so they could easily track how many IPs/websites a given licensed copy was running on.
If you can't create a "cloud app" that you host yourself and they access via the Web, then you could look into creating a virtual appliance using a virtual server (from VMWare, Parallels, Sun, etc) and install a "lite" version of Linux on that. Put your PHP code in the virtual environment and install the virtual machine on their server. Make sure to create a way to prevent loading into root. Of course, this would involve physically visiting the client yourself.
They distribute their software under a proprietary license. The law protects their rights and prevents their customers from redistributing the source, though there is no actual difficulty doing so.
But as you might be well aware, copyright infringement (piracy) of software products is a pretty common phenomenon.
The only way to really protect your php-applications from other, is to not share the source code. If you post you code somewhere online, or send it to you customers by some medium, other people than you have access to the code.
You could add an unique watermark to every single copy of your code. That way you can trace leaks back to a singe customer. (But will that help you, since the code already are outside of your control?)
Most code I see comes with a licence and maybe a warranty. A line at the top of the script telling people not to alter the script, will maybe be enought. Self; when I find non-open source code, I won't use it in my projects. Maybe I'm a bit dupe, but I expect ppl not to use my none-OSS code!
in my opinion is, but just in case if your php code program is written for standalone model... best solutions is c) You could wrap the php in a container like Phalanger (.NET). as everyone knows it's bind tightly to the system especially if your program is intended for windows users. you just can make your own protection algorithm in windows programming language like .NET/VB/C# or whatever you know in .NET prog.lang.family sets.
Zend Guard does not support php 5.5 and is easy to reverse, go for http://www.ioncube.com for obfuscation. http://wwww.phplicengine.com can license the scripts remotely or locally.
See our SD PHP Obfuscator. Handles huge systems of PHP files. No runtime requirements on PHP server. No extra runtime overhead.
[EDIT May 2016] A recent answer noted that Zend does not handle PHP5.5. The SD PHP Obfuscator does.
I have created a library for this purpose. It uses OPCache only, in order to covert php to op codes. The library compiles your PHP code to opcodes and removes code from all php files included in your project. All produced opcode files are saved on the server's filesystem and used by OPcache!
https://github.com/notihnio/php-cactus
So let me see, we want to show adam and eve there's some forbidden fruit in a tree, adn we 'd like a way to prevent them from eating...
How about having an angel with a flaming sword?
Might sound naive, and I dunno what your application does actually, but what about the extensive use of includes?
For the legitimate user, is all the software that should be visible or only parts of it?
Because you could obfuscate and give a copy of source code to legitimate
You could wrap the php in a container like Phalanger (.NET)
Perhaps your concerned with external theft, meaning your code freely visible over the web as customers uses it. This could be worth investing in a cheap web site hosting, for $50 a year, registering your legit customers with a serial in their code and have your app posting info to your web site regularly. At least, you'd detect when code has been compromised. You could push it with a self destruct after n days, giving you enough time to contact your customer and change the serial. This could be the only obfuscated include() of the whole code