Comments on: Protecting Your PHP Code

By: Nate

Nate — Wed, 15 Aug 2007 03:50:16 +0000

@Walter: Your first point is essentially a counter-point to itself; in the case of most Open Source projects (especially the popular ones), the number of Good Guys vastly outweighs the number of Bad Guys, and the Good Guys are constantly on the lookout for security vulnerabilities, too.

The other benefit of Open Source is that good projects tend to attract the best minds and the best talent, which leads to the best possible software design. And secure design is what makes secure software. Compare that to the approach of closed-source vendors, who release their software to the public and patch as necessary. If this were an effective security strategy, Internet Explorer would have run out of vulnerabilities years ago.

By: Walter Wimberly

Walter Wimberly — Thu, 09 Aug 2007 17:20:23 +0000

Of all of the open source software I have used, I would say I have looked at less than 10% of the code, and modified even less. Generally, I am using that software because it works, not to tinker. I would be willing to bet that most people are like that. However, if I were a devious black hat hacker, I would be all over the code looking for ways to implement my dastardly plans. That part makes me most nervous about using Open Source anything.

I don’t release all of my software source code anymore for that part of that reason. I have unfortunately, had clients go and reuse software I had originally written for them. If I increase my prices to cover the possibility of theft, then it makes it difficult to secure clients. (I’ve gone to Open Office because it is hard for me to justify MS Office’s price.) If the code isn’t provided, and I encode some specific elements for the site into the code, as a security measure against theft, it allows me to keep the prices down. This is the same reason why stores put security tags on their merchandise; it’s cheaper than letting it walk out the door.

By: Paul Herron

Paul Herron — Mon, 30 Jul 2007 00:17:10 +0000

Thanks Chris. A great read!

By: Nate

Nate — Sun, 29 Jul 2007 00:43:14 +0000

@Jacklo: obscuring sensitive information in and of itself is a good thing, but that isn’t the point. The idea of “security by obscurity” refers to the practice of relying primarily or solely on obscuring key details about the structure of your system in order to secure your application; an ignorant and dangerous practice.

However, the operative phrase there is “primarily or solely,” since obscuring certain details of an application is often an important part of a defense-in-depth strategy.

@Chris: This is possibly the most poignant piece I have ever read on this subject, bravo. I could not agree more.

By: GfxDizayn » PHP kodunuzu koruyun

GfxDizayn » PHP kodunuzu koruyun — Tue, 24 Jul 2007 08:19:30 +0000

[...] Burada, yazd???n?z PHP kodunu nas?l koruyaca??n?z? anlat?yor. Yaz?n?n uyar?s?n? da dikkate al?n ama [...]

By: Jacklo

Jacklo — Tue, 24 Jul 2007 02:53:07 +0000

Well although I’m a great advocate of open source, I’ve got to say that there is certainly some security in obscurity.

It’s simply a fact that it’s far easier to find bugs/loopholes in someones code, if you can actually read the code in the first place. Surely that’s the point that is being made here?

If there is no security in obscurity, why bother turning off server signatures in Apache, or why not just leave that phpinfo page up?

I don’t advocate writing sloppy code and hiding it through encryption, but lets face it… most ‘bugs’ are simply features that weren’t intended. Features that are not part of the regular functionability of the application… Features usually found by studying the source code.

Just look at any security site and you’ll see hundreds of open source applications on there, many quite respected.

By: sam keen

sam keen — Mon, 23 Jul 2007 23:00:32 +0000

Thanks for the post Chris,
I missed that article in php|Architect, but I will certainly go back and read it now.

You must have laughed out loud when you read this nugget… “Serious business demands closed source” I’ll have to read it in context in the article, but that’s just bad….

By: developercast.com » Chris Hartjes’ Blog: Protecting Your PHP Code

developercast.com » Chris Hartjes’ Blog: Protecting Your PHP Code — Mon, 23 Jul 2007 12:59:41 +0000

[...] a new post to his blog, Chris Hartjes, spurred on by an article in the latest edition of php|architect [...]

By: anty

anty — Sat, 21 Jul 2007 18:42:03 +0000

I would not compare an average PHP programmer with Microsoft, but I agree with you.
I think most companies are buying PHP code not only because they don’t want the work done on their own, but because they want to be sure that they can come to you with any problems regarding the code.

This is also one of the major arguments (in my opinion) there is against open source code. If you buy code, you buy a warranty that the code will work.

If the code has bugs it will be fixed, or I can at least ask the author.

I don’t know this for sure, but I think vBulletin code isn’t secured and they are still selling their work.
That’s an example that business is working without encrypted code.

BTW: doesn’t make encryption your code slower at runtime, or is Zent using a “compiled/unencrypted” version internally?