Sending a product key in an email to new customer

views:

318

answers:

+5 Q:

Sending a product key in an email to new customer

I'm looking to put together the simplest online software purchasing system that could possibly work.

My plan is to allow website visitors to download the software freely from my site. The software will contain a 30 day expiry trial period, this can be removed by entering a product key.

(I know this will not stop determined hackers, I'm just looking to ensure generally honest people, will buy the software)

If the user decides they like it enough to buy, they can then simply transfer the purchase amount to a bank account, using standard internet banking.

When notification of payment is received, I would then manually send a unique product key to the customer.

My problem is that I am not overly comfortable with product keys being sent in a clear text email over the internt.

I've noticed many other small software vendors seem to use exactly this approach and don't seem to see it as a concern, so perhaps I'm being too paranoid?

On the other hand, if this is a valid concern, what other options have people used or know of, to increase the security of this final step in the process?

Would, say, creating a JPEG containing the product key and attaching it to the email be at all useful?

+3 A:

A product key is not of much value to a hacker who can probably hack your software anyway. That's the rationale behind sending cleartext product keys. That key is not tied to any really private or financial information of the customer (in any reversible way at least).

Alternatively, if the user registers for your site, you can give them the product key when they login. This has the advantage of being harder to lose.

cletus 2009-01-08 09:05:43

Fair point. "Honest" users are not likely to be filtering internet packets I guess.

Ash 2009-01-08 09:08:56

Agree that product keys available on the company website are best - otherwise you are bound to lose it at some point

revs 2009-01-08 09:12:32

+3 A:

In my opinion: user creates an account for your web page, purchases the product (over https), sees the authentication key (over https), logsout!

if forgets the key or somehow needs again; logins and looks it back again from web page

erdogany 2009-01-08 09:07:19

That's an approach I could use if/when the software actually sells. Initially I'm looking for a very simple approach that doesn't even require HTTPS.

Ash 2009-01-08 09:11:00

+3 A:

If you have the scope to enhance your application a little, I've seen a number of products that provide some kind of machine related ID that is then used to generate the product key. The installation on that machine will only validate with that one product key. This also stops users from using your software on multiple machines and sharing the software with their friends using the same product key.

ck 2009-01-08 09:10:52

Yes, I've read a bit about this. It's a type of "activation" process that ties the key to the hardware/os profile of the customer. It's probably a bit of overkill for my needs, intially at least.

Ash 2009-01-08 09:16:36

Jason S 2009-01-08 14:09:42

@JasonS - of course you would need some good customer management, in our situation we have spoken with the vendor, provided a new machine ID and received a new activation code with no hassle.

ck 2009-01-08 16:58:33

+2 A:

Generally speaking, an honest user who wants to use your software wouldn't refuse to pay you because he accidentally intercepted a product key, and people who decide that they won't pay you will crack your software one way or another. So it seems to me that there's really not much to worry about.

PolyThinker 2009-01-08 09:13:07

+2 A:

Create a website where a user makes a payment and gets the product key in reverse captcha.(Product Key displayed as an image)

Benefits: Avoids copy paste of product key and circulation.

I guess its better to add the ip address or machine id/mac address as part of the encrypting text.

2009-01-08 09:17:42

Interesting suggestion, only problem is I would need to build this into the website. Until I know the software actually sells, I'd like to keep it VERY simple.

Ash 2009-01-08 09:21:11

+1 A:

Sending clear text serial keys should not be an issue. Since you are looking for a simplest solution which would work, I think this is the way to go.

DotNET 2009-01-08 09:18:00

+7 A:

We have used this approach:

Application creates a public and private key. And stores this on the system (encrypted)
Application creates an email to us, containing the public key
We encrypt the product-key using his public key, and send a mail back
The encrypted key is then copy & paste into the Application, decrypted using private key

We can be certain only the requestor can read the product key.

I must admit this is a kind of special application. We provide it for free, but we need to know who uses it.

GvS 2009-01-08 09:19:08

Interesting, I hadn't thought about public/private key pairs, thanks for the reminder.

Ash 2009-01-08 09:24:27

It doesn't have to be public key. You could just derive a shared key from, say, user's name, email, address, phone, etc. Or even customize your software for each user with an embedded key.

PolyThinker 2009-01-08 15:32:46

+2 A:

I suggest to use a real protection software product instead, like SoftwarePassport (previously named Armadillo). At a small cost, it will give you very robust and advanced protection system, much more robust than what you will ever build yourself.

For example, you can make your product key specific to the user hardware very easily, while still allowing the user to re-install or move to another computer (he must only deactivate the first version).

I have used it and was more than satisfied with it. It was simple, well documented and powerful.

Bluebird75 2009-01-08 09:21:07

ansaurus

tags:

views:

answers:

Sending a product key in an email to new customer

related questions