Perhaps wrong section but... "On Proprietary Applications"

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mdchesney
Forum Newbie
Posts: 1
Joined: Tue Jul 22, 2008 5:16 pm

Perhaps wrong section but... "On Proprietary Applications"

Post by mdchesney »

I have been developing PHP web applications for some time now but most as part of an employer's project. I know the code, the maintenance, and everything (well, does anyone know everything? I guess I know "enough") that goes into making a functional web application in PHP. Only recently I have begun making web apps on my own and distributing them to clients. My employer simply hosted the php files, thus preventing third-party access while ensuring a lengthy maintenance contract. I on the other hand would simply like to dev-and-drop, so to speak, so I'm looking for a way to do closed-source php distribution. I looked into some encoders (at $200 and upwards!) but there must be an easier way? Or am I forced to resign my intellectual right with the closing of each contract?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Perhaps wrong section but... "On Proprietary Applications"

Post by alex.barylski »

1. Obfuscation: Relatively easy to unscramble and see the source.
2. Encryption: Still possible to decrypt.
3. Encoders: Still possible to decode.
4. Compilation: Virtually impossible to unwind.

I've been looking into RoadSend PHP compiler for sometime. Personally I think hosting the software is the best bet.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Perhaps wrong section but... "On Proprietary Applications"

Post by Mordred »

4. --> Nothing is impossible :)

Actually any protection method will do, as long as the cost of deprotecting approaches the cost of redeveloping or buying the software. Boutique vs. massmarket software changes the equation (whether to take in account the redevelopment cost or the market price) and gives a different level of motivation for a pirate (Would he resell a stolen massmarket product? Is he hired to deprotect a one-shot boutique software with no resell value?) and therefore a different deprotection cost.

So sometimes custom-made obfuscation will work well enough.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Perhaps wrong section but... "On Proprietary Applications"

Post by alex.barylski »

Mordred wrote:4. --> Nothing is impossible :)

Actually any protection method will do, as long as the cost of deprotecting approaches the cost of redeveloping or buying the software. Boutique vs. massmarket software changes the equation (whether to take in account the redevelopment cost or the market price) and gives a different level of motivation for a pirate (Would he resell a stolen massmarket product? Is he hired to deprotect a one-shot boutique software with no resell value?) and therefore a different deprotection cost.

So sometimes custom-made obfuscation will work well enough.
I did say "virtually" impossible. Regardless of how knowledeable anyone is in assembler I give my 100% guarantee you or anyone else could *not* return my source back to it's original form. In fact I'll offer a 20,000 reward to anyone who can. Of my own money. :)

The architecture, design and cleanliness of my code (which is what I'm protecting -- not the implementation) would be impossible to return to how I have it now.

So I would say "The above methods are not the same".

Compilation will make it impossible to steal my source whereas obfuscation, encryption and encoding generally don't protect the design or architecture just the implementation -- which is the easy part anyways.

Anyone can craft an application to update the body of it's web site using AJAX but how graceful one accomplishes that task varies tremdously.
Post Reply