Databases
StackOverflow2013
Postsdbo
POSpoofing online activation protection
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSpoofing online activation protection
    primarykey
    data
    text
    <p>Ok I want to use online activation to protect my software. The users will need an internet connection and need to verify that they have an active account/license to continue using the software. So my software will send out some credentials to my website, where I will verify and send back <em>SOMETHING</em> to allow the program to run or not.</p> <p>Here's the problem. How do I prevent someone from spoofing the simple SOMETHING that I send back, bypassing my verification altogether?</p> <p>Two examples:</p> <ol> <li><p>I remember seeing a program somewhere that allows you to monitor internet traffic and modify it before the traffic returns to the software. I cannot remember the name. In effect, its a man-in-the-middle between what goes out and comes into your computer, before the application sees it. For example, your browser sends an HTTP request, this program can intercept it and modify the out packet, or vice verse, some HTTP webpage is returned to the browser, and this program can intercept and change the incoming packet and then pass it along to the browser.</p></li> <li><p>The HOSTS file can be changed to redirect traffic to any address. So if someone knows that my verification will return the text "ok_to_use" or "not_ok_to_use", and they know the url that I use to verify, then they can just use the HOSTS file to bypass dns lookup of my website, redirect it to their own site, and always return the string "ok_to_use"</p></li> </ol> <p>The second example illustrates the problem. I think I need to somehow return something other than a static string. Obviously I can encrypt the string, but it won't take long to figure out that "ok_to_use" equals "7hgx3a" if that is the same encrypted string that always gets sent back. So I would need to send something back that changes all the time.</p> <p>EDIT/</p> <p>To the comments/responses saying that there will always just be a final if/then check in the app that flags whether the license is valid or not: Yes thats true. I was hinting towards something like this in the last paragraph of the original post. Perhaps having the web php send back some critical functionality, so that even if the if/then is skipped, if the web check wasn't performed, then the algorithm for some function won't get downloaded, and the app won't work correctly. Anyone have ideas in this vain?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USmikew
    1. USmikew
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POSpoofing online activation protection
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POSpoofing online activation protection
      1. This table or related slice is empty.
      1. VTUpMod
    1. COForget all of that, all one needs to do is find the final if-statement in your license/auth code that says: "if everything passes then proceed with app else don't" and replace that with a no-op. - don't waste your time, all you should be doing is trying to keep your honest customers honest.
      singulars
      1. POSpoofing online activation protection
      1. This table or related slice is empty.
    2. COHow about encrypting the connection with a client certificate?
      singulars
      1. POSpoofing online activation protection
      1. USLinus Kleen
    3. COregarding your edit - this is the only real way to defeat copy protection, ie move critical parts of the application to a server under your control. The downside of this is that the user must always be connected to the internet to use your application, which isnt always possible. If you are going to require this, then perhaps a web based system would have been better in the first place rather than an application (although it depends on use)
      singulars
      1. POSpoofing online activation protection
      1. USGavin Coates
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload