workflow for a license server / selling software

Question

I have a product I'm selling. Users purchase a license key and enter that into the config to enable the product.

My first idea was..

The product pings the license server w/ the license key on launch, and fails if the server returns a Not Authorized (expired license, invalid etc). But what if the license server is down..?

Another idea was to just check the license once, or maybe every 30 days, or just every time it is entered (app reinstalled etc).

Is there any safer way (in regard to at least SOME decent protection from script kiddies) of going about this? I've never sold software, but I know how easy it is to reverse-engineer/modify software to avoid requiring a license. And to complicate things, this is in PHP.

Answer 1

Checkount Zend Guard, its from the creators of PHP it allows you to do both code obfuscation and licencing.

Answer 2

What about a file containing an expiry date and a digital signature created on the server with an asymmetric key. On the install base you check the date in the file and the signature. The signature can be checked by having only the public key. The problem with this is of course that if someone would resign the file with their own key and replace the public key, then they could make your product work forever. But I don't know if a script kiddie can do this.

Answer 3

There are some tools you can use for protecting PHP code. One of them is called ioncube, and there's at least one other, but I can't remember what it was called.

Answer 4

For a new product the answer is always:

Don't worry about copy protection. Unless people are actively already pirating your product there is no reason to add a 'phone-home' feature.

Large companies tend to be paranoid about having the proper licenses, so they will pay you for licenses. Most small companies are ethical and any license issues are probably an oversight. Right now you should be far more worried about getting your name out and getting people familiar with your product. Someone using your product at home who would have never paid for a license is a good thing for you right now. Get people using your code, make it so businesses would have a hard time changing to something else, then worry about making sure they aren't using it for free. This is a version 3 problem, if you make it that far.

Answer 5

Your model has been tried before. If you are really worried about people stealing your software then yes your best bet would be to go ahead and ping your license server every time the application starts up. Yes, there is that down side of your server going down and people would not be able to use your application.

For my software I prefer to ping the server the first time the person registers his key in my software and any if they are gong to get updates for my software. This basically allows my users to use their applications freely until they reinstall or get those "awesome" new updates! If they don't get updates they can use the tool without contacting the internet. It is the best situation that I could come up with.

Regardless of what you do, there is always a work around! Hackers will just modify their host files, point your license server locally. They will obviously crack or share your keys. It is a sad world that we live in. So in order to keep your users interested you have to provide them with better content to keep track of illegal use. I recommend after the first time doing this in the background, the users won't be able to get updates anyway, so at this point in time, there is no point in telling them you are re authenticating.

I guess I should add on a couple things. I don't recommend you to host your own license server. You should always outsource this to a larger company if possible. One which will have a guarantee to you that their servers will be operational for a long time. Also, make sure to always have multiple license servers, that way if one goes down another one can kick in.

My company even if it goes down is obligated by contract to always keep that software licensing servers alive for up to 10 years. I know many company's give out yearly licenses to their users, this is another great way to get your users to update or face the consequences.

Again, all of this is a lot of work, and you should make sure that your tool really needs this amount of authentication because so far there isn't really anything that can't be broken.