t0m3kk Posted May 2, 2012 Share Posted May 2, 2012 Hi, I want to ask is there a need to secure my module to prevent a free module distribution? If I need to secure my modules from that - how to do that? Regards, George! Link to comment Share on other sites More sharing options...
Mike Kranzler Posted May 2, 2012 Share Posted May 2, 2012 Hi George, As open-source software, there really isn't much that can be done to secure a module. However, if you ever suspect someone of distributing your module illegally, please contact us immediately and we will look into it for you. -Mike Link to comment Share on other sites More sharing options...
t0m3kk Posted May 2, 2012 Author Share Posted May 2, 2012 Hi George, As open-source software, there really isn't much that can be done to secure a module. However, if you ever suspect someone of distributing your module illegally, please contact us immediately and we will look into it for you. -Mike Hi, Mike, I mean: If I sell mine module to user-1 and user-2, and then user-2 start distributing my module to his friends is there any way to prevent that distribution? Regards, George! Link to comment Share on other sites More sharing options...
Mike Kranzler Posted May 2, 2012 Share Posted May 2, 2012 Hi, Mike, I mean: If I sell mine module to user-1 and user-2, and then user-2 start distributing my module to his friends is there any way to prevent that distribution? Regards, George! Unfortunately, not on our end, because PrestaShop is open-source software. However, we have passed along individuals to large companies such as TemplateMonster to let them decide whether or not to prosecute when we have caught them engaging in this sort of activity. While we cannot fully prevent it, we will not ever stand for it, and will act whenever someone comes to us with this sort of concern about one of their modules or themes. -Mike Link to comment Share on other sites More sharing options...
t0m3kk Posted May 2, 2012 Author Share Posted May 2, 2012 But is there any way to prevent this... Method which can use a random string as a cd-key or something? Regards, George! Link to comment Share on other sites More sharing options...
Dh42 Posted May 2, 2012 Share Posted May 2, 2012 Long story short is no. Short story long is, prestashop's module store does not suppport generating keys and for good reason they would be useless. Say you sell a module that takes a key ok fine you give userA a key with it. The he gives it an his key to userB, you have solved nothings. But say you want to make it more secure, so you have it contact your server to check the key. In theory that would work. But at the same time people that knew the difference would not buy your module. It is a security hole in their shop. No one wants their secured environment contacting outside sources. Then you would have to deal other issues too. How are you going to license the module? Per processor? Per core? Per domain? Per ip? I have multiple shops running on the same 8 core server. I have multiple PS installations running on the same domain and same ip address. How many modules would I have to buy? Just either start your own shop or sell it in the PS shop and forget about it. No one is ever going to stop piracy, its is the way of the web. Link to comment Share on other sites More sharing options...
El Patron Posted May 2, 2012 Share Posted May 2, 2012 http://pecl.php.net/package/bcompiler I'd also argue that if someone buys a module, due to the competitive nature of ecommerce, they are highly unlikely to give it to another shop. But re-selling someone else's work, off official add on...is much more likely. The other model is to just give the stuff away and charge for services and support. Link to comment Share on other sites More sharing options...
Dh42 Posted May 2, 2012 Share Posted May 2, 2012 On a side note, what is the general opinion on this, because I have to admit that I do it. Say I am asked to add a feature to a shop. I find a module that looking at what I want to do is close. So I buy that module then edit it to what I need. At what point does it become "not that module that you bought" anymore? Is there a certain point of code that you have to change? Because honestly as developers we have all looked at someone elses' site before and said "hey I like that I want to use that" and implemented it in some form or fashion. Link to comment Share on other sites More sharing options...
t0m3kk Posted May 3, 2012 Author Share Posted May 3, 2012 Long story short is no. Short story long is, prestashop's module store does not suppport generating keys and for good reason they would be useless. Say you sell a module that takes a key ok fine you give userA a key with it. The he gives it an his key to userB, you have solved nothings. But say you want to make it more secure, so you have it contact your server to check the key. In theory that would work. But at the same time people that knew the difference would not buy your module. It is a security hole in their shop. No one wants their secured environment contacting outside sources. Then you would have to deal other issues too. How are you going to license the module? Per processor? Per core? Per domain? Per ip? I have multiple shops running on the same 8 core server. I have multiple PS installations running on the same domain and same ip address. How many modules would I have to buy? Just either start your own shop or sell it in the PS shop and forget about it. No one is ever going to stop piracy, its is the way of the web. Yes, it's a security hole but I think: If serverA get a new PS installation and install the secured module (only logo.gif and module-name.php which contains only few lines to send the code), when somebody start configuration of module the first thing which will see is a one input filed to type the code and 1 button for submit it. When he submit the code serverA (PS install server) starts a query to serverB (server for checks) - start 3 operations: copy module files to random folder (the name of folder can be a sha1 hash of query) write information from the query - IP of server, name of server, domain, username and key and etc. check the code And if everything is "okey" with the code the serverB will return a new generated xml file with location of files to copy. Example of .xml: <?xml version="1.0" encoding="UTF-8" ?> <file> <location>http://serverB.com/location/file.txt</location> <locationInModuleFolder>page/test</locationInModuleFolder> <name>CopyTheXML</name> <format>php</format> </file> <file> <location>http://serverB.com/location/file2.txt</location> <locationInModuleFolder>style</locationInModuleFolder> <name>moduleName</name> <format>css</format> </file> So the script parse the xml and copy files (it's not a problem to copy files from remote server when the files is .txt of similar extension), rename files to their normal names and extensions. serverB clean copy files 30 minutes after receiving of query. That is my point if anybody were make script like this and can share advantages for the technology and principles. http://pecl.php.net/package/bcompiler I'd also argue that if someone buys a module, due to the competitive nature of ecommerce, they are highly unlikely to give it to another shop. But re-selling someone else's work, off official add on...is much more likely. The other model is to just give the stuff away and charge for services and support. And what we do if someone wants to edit the module? Regards, George! Link to comment Share on other sites More sharing options...
daanbiesterbos Posted June 4, 2014 Share Posted June 4, 2014 Well actually. There are some things that you can do. The problem is that php is not a compiled language. Therefore, each and every security measure you take, can be stripped out very easily. However there are ways to obfuscate or even encrypt your sourcecode. Even if the method itself is not bulletproof, most sane people won't bother to reverse engineer the actual source etc. It is just not worth the time. There are plenty of hits when you google PHP source obfuscation. You might want to take a look at zend guard. It is not free, but the runtime decoder is. But your customers would be required to install the (free) Zend guard decoder. I'm not sure whether this would be the only downside. Haven't tried it. Let me know when you find a better alternative. Link to comment Share on other sites More sharing options...
Recommended Posts