free alternatives to ioncube

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

free alternatives to ioncube

Post by Pyrite »

Are there any FREE alternatives to ioncube?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

APC has been mentioned as that specific role.
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Hmm, I should have stated, a free alternative to ioncube's php encoder.

I looked at PHTML Encoder, but with the free version, anyone with PHTML Encoder and decode your files.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Last I saw, all of the encoders have been decoded.
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

meaning, none of them are secure?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

No encoder is truly secure anyways.. there is potential for any encoder to be broken
AlecH
Forum Commoner
Posts: 27
Joined: Fri Feb 24, 2006 4:22 pm
Location: New Hampshire

Post by AlecH »

Yes however, I would have to say that Zend Encoder is probably so the most secure and reliable mostly because not many people have access to it because its just so expensive. Thats where it also faults when relating to this topic. But mainly, your right jcart.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Afaik, Zend encoder isn't any safer than others... They know it's broken but continue to sell the product..
ioncube
Forum Newbie
Posts: 1
Joined: Wed May 24, 2006 4:18 am

Post by ioncube »

timvw wrote:Afaik, Zend encoder isn't any safer than others... They know it's broken but continue to sell the product..
Just to bring this thread up to date, encoding systems such as ionCube and Zend weren't broken per se, but people such as the Chinese "blue wind" produced a decompiler that given an opcode stream could have a go at recreating what source code could have been. They then used tricks to obtain opcodes at runtime for feeding into the decompiler. Whilst no system can ever give 100% protection as other industries have learned from the efforts of people like Jon "so sue me" Johansen, we combatted the current threat very effectively with the release of Encoder 6.5 back in January.

ionCube PHP Encoder 6.5 added features that keep the actual compiled code obfuscated even at runtime and so making it significantly harder to discover valid opcodes, as well as new user features for one-way user key based obfuscation of certain source elements, (function names and local variables). Additionally a new feature not found in other systems was added to support encryption of arbitrary files and not just PHP files, which is great for protecting template or XML files. In late April or early May, Zend responded by renaming their product and adding source element obfuscation simlar to ours, although not with a one way algorithm and without adding protection against opcode discovery.

We'd like to close source PHP, take the chance to improve it along the way and substantially improve security by doing this, but unfortunately the practical requirements of end users and the nature of target PHP systems restrict the extent to which security features can be added and there's no way for the general market that we could do this. So there's always a balancing act between security techniques and practicality, but we're committed to protecting as far as possible the IP of developers against those seeking to destroy PHP as a serious application language.
Post Reply