PHP Source Encryption - Effectiveness and Disadvantages

Question

I have some PHP source code that I'm hosting with hosting company XYZ. I'm using a PHP encryption software like Zend Guard or ionCube to protect the source from being viewed by anyone (sysadmin or hacker that hacks the sysadmin).

• How easy/hard is it for someone who has full access to the system (like the sysadmin or hacker that hacks the sysadmin) to decrypt the source? I don't know how encryption software work, but I'm assuming they use some key, which would have to stay on the server and is therefore accessible to a sysadmin or a hacker. If you're technically-knowledgeable about the how-to, don't hesitate to offer an explanation in your answer.

• Does the use of such source encryption slow down the site? If anyone has first-hand experience or knows from someone that has first-hand experience ;)

I'm interested in the technical aspects of this, how effective encryption is.. and its disadvantages, from those who used them or considered using them

Thanks (all helpful answers/comments are up voted)

Edit: the answers so far seem to be ignoring what I'm trying to understand.. I'm trying to understand the effectiveness of encryption. I don't really have any code that needs protection from the bad guys, the above was just an example, so advice like open source it or hire a lawyer don't really address my technical curiosity.. A+ to anyone who gets the point

Answer 1

The only thing you can do against the hosting company is to have a good license and lawyer

Answer 2

If it can be executed it can be decompiled. Stick to your legal team for rights access, not encryption :) Better yet, open source your project :P

EDIT: 'Encryption' also adds heavily to execution times!

Answer 3

Why exactly do you need to encrypt your source code? If you are sporting this as a safe-guard against potential hackers, then please believe when I say that if they really wanted to decrypt your source code, they would do it. It is possible with ionCube, last time I checked.

As far as performance impacts, I believe Zend is a tad bit faster than ionCube due to it not requiring any extra files. But like I said before, don't rely on encryption for anything.

Answer 4

As far as I know, PHP encoders do not actually encode you PHP code. They just change variable names and add unnecessary rubbish code, so that it becames VERY hard for anyone to find out, what the code does. The problem is that they cannot hide any password (be it the hard coded admin password, or the database connection data).

So they do not ensure that your code is safe, they just make it very hard for anyone to understand it.

Answer 5

Encryption (or encoder) schemes try to hide your code as an encrypted file. Obviously, the code has to be decrypted at execution time, which adds useless overhead. Some of these also insist that the host system install special routines, which the hosters intensely dislike, because they don't want to set up special configurations just for you. But the bad part is that they contain the seeds of their own undoing: to run on the target host, they must contain the decryption software. So if you use one, you deliver the very decryptor necessary to get at your code. Its only a matter of locating it; once found, your code is complete decryptable and exposed. These simply aren't safe.

Obfuscation schemes scramble the names of identifiers, remove comments and formatting. But the obfuscated code runs exactly like the original, with no overhead and no special runtime support needed. Obfuscators depend on the inherent difficulty in understanding programs in general. They're hard enough to understand when they are well designed, names are well chosen, and there are good comments in the code. We all hope our programs are well designed, but if the names are bad and the comments are gone, they're pretty hard to understand. Examine your own experience with other people's code.

People will say, "but anybody can inspect obfuscated code and understand it". That's true if you have a tiny application. If your application has any scale (tens of pages of code) it is extremely hard to understand what it is doing when all the variable names are scrambled. The bigger your code, the better obfuscation is at protecting it.

If you want to see examples of what one PHP obfuscator does, see Thicket PHP Obfuscator.

Answer 6

Neither Zend Guard nor ionCube uses encryption, in it's mathematical sense, to protect your code. What they do, except the obfuscation already described by other answers, is encoding.

This is a process that's normally done automatically by the PHP interpreter each time your script is accessed - your PHP script is compiled into a bytecode format, that's then executed. What encoders like Zend Guard and ionCube essentially does is an equivalent process, only that it's done once, and then only the "compiled" bytecode is made available/uploaded to the server.

This means that actually recreating the very same code that you once wrote is entirely impossible. What is not impossible, and this goes for obfuscation as well, is reverse-engineering the compiled or obfuscated code to figure out what it's doing.

To summarize, I'd say that these products are very good at protecting your code - as opposed to protecting your logic.