Security: connect license and computer

  • There was a topic about the License Verification (not so) Secret Key. The discussion was closed for replies, while the issue was not resolved.
    Indeed the key is rather useless, because it is sent in the clear, un-encrypted.
    A public/private key mechanism is needed here, so requests can be filtered at an early stage, before accessing the database.
    For the time being, I adapted the plugin to receive and store a unique (client) computer ID, bases on board number, processor number etc., hashed with SHA256. Together with a server-side (=me) entered (client’s) e-mail address things are a little bit more secure and I know more certain a request comes from a certain computer. Still, the initial activation may have come from a hacker’s machine, posing as a middleman. Anyway, it gives me –some– more certainty that the licenses are safe.
    BTW-1, I use SLM in combination with a C# technical client-side application.
    BTW-2: All error messages should be prepended with a unique error code (eq. “SLM06: the activation is….” This makes it possible to isolate this part and use it for localization of the messages.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    Hi,

    There was a topic about the License Verification (not so) Secret Key. The discussion was closed for replies, while the issue was not resolved.

    Can you share the link to the above mentioned topic?

    Thank you

    Thread Starter erik2055

    (@erik2055)

    Yes, and I found another relevant posting too. Here they are:
    https://www.ads-software.com/support/topic/why-the-need-for-the-secret-key-for-license-verification-requests/
    and
    https://www.ads-software.com/support/topic/is-the-secret-key-public/

    Some more comments on the issue:
    The Verification key is NOT the only way the server can know that communication is comming from a legitimate source, because
    1: the key is sent “in the clear” and therefor it is not a secret anymore.
    2: you, the server plugin, rely on the client, who has the key, to keep it a secret. Can’t do that!

    I’ve been thinking and reading about the issue: the only thing you can make sure of is that the communication can be read by you (the server-side plugin), by encrypting the communication with the server’s public key client-side and decrypt server-side with the private key (X509) at the earliest moment, right after receiving the request and before accessing the license database.
    You could also sign an un-encrypted request with X509.
    You cannot prevent the client accessing your server, because free access is what WWW and WordPress is all about.
    I’m not very experienced in PHP/WP-Plugins, but I think there is a library for this (Bouncy Castle?)

    Suggestions:
    1: Don’t send error text messages to the client. Just short error codes. The server doesn’t know the client, in principle. It may even be a Swahili-language program. Let the client generate the message from the error code. Quicker too.
    2: Send error codes with ALL server-to-client communications.

    Thread Starter erik2055

    (@erik2055)

    Sorry The line
    “the only thing you can make sure of is that the communication can be read by …”
    must be:
    “the only thing you can make sure of is that the communication can be read ONLY by …”

    Plugin Support mbrsolution

    (@mbrsolution)

    Hi,

    Suggestions:
    1: Don’t send error text messages to the client. Just short error codes. The server doesn’t know the client, in principle. It may even be a Swahili-language program. Let the client generate the message from the error code. Quicker too.
    2: Send error codes with ALL server-to-client communications.

    I have submitted a message to the developers to investigate further your suggestions.

    Thank you

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security: connect license and computer’ is closed to new replies.