Protecting ASP Applications: Need Opinions

"Bill K" <wk******@nospam.nc.rr.comwrote in message
news:md*****************@southeast.rr.com...

Hello All,

I've finally written an asp app that is worthy of resale and would like to
hear from you who have done the same. What is the best way to protect my
application? I would like to stay away from anything that has to be
registered on the server as most of my target audience will not have
physical access to their web servers. They will just upload the code to
their server and set directory permissions for the database.

I 've purchased asp scripts myself in the past and had to provide a domain
name where it would be running. It would not run on any other domain but

the

one I provided. Is this a practical approach or is there a better way? How
is it done? I've also seen posts about putting some of the vb code into an
activeX dll. Is this a solid solution? Again, How is this done?

Just putting some of your code into a DLL doesn't really give you a great
deal of protection from illicit copying. If someone has access to the ASP
they can probably copy the dll as well. Such a dll would also have to
implement some kind of licencing scheme. With that in place and having a
significant number of pages in your app depend on services supplied by the
DLL you can give your app some reasonable copy protection.

I appreciate anyone sharing their experience...

Thanks in advance,
-Bill-

"Anthony Jones" <An*@yadayadayada.comwrote in message
news:uc**************@TK2MSFTNGP04.phx.gbl...

>

>>

Just putting some of your code into a DLL doesn't really give you a great
deal of protection from illicit copying. If someone has access to the ASP
they can probably copy the dll as well. Such a dll would also have to
implement some kind of licencing scheme. With that in place and having a
significant number of pages in your app depend on services supplied by the
DLL you can give your app some reasonable copy protection.

Putting code in a DLL is a very effective if not foolproof technique for
securing the application (when utilising an in-built licencing mechanism),
but unless the customer has OS-level access to the server they won't be able
to install the DLL. Very few hosts will allow DLLs to be installed. Some
will, but even then, they want the source code so they can complile the DLL
themselves...

Thanks for your responses but I can't have folks doing server side installs
or dll reg.
Does anyone have any ideas on how to do the domain name (or ip address)
method described below?

I'm thinking maybe I keep a crucial part of the code on my own server, then
if the request comes from a licensed domain they have permission to execute
the code. What do you all think?

>
I 've purchased asp scripts myself in the past and had to provide a domain
name where it would be running. It would not run on any other domain but
the one I provided.

Hi Bill,

I think the main problem is that the source code is fully exposed. If
one knows a bit about VBS/ASP it's not difficult to see where the
check is and to simply divert it. There are some "encoders",
"encryptors" and "obfuscators" out there. I found that each & every of
these merely uses the Windows Encoder to make the ASP code illegible.
This is very easily reversed. It doesn't take the least bit of a
functioning brain. PHP has some nifty encoding/encrypting/obfuscating
options. The better ones are commercial products. It would be nifty if
such a thing was developed for ASP. I'm not sure however if this is at
all possible without registering components. Even if you register some
sort of "decrypter" on your own server, won't that server be killed by
each & every pagerequest that is made somewhere to some of your
encrypted script? Has anyone ever tried an effort to make protection
of source possible?

- Alex.

On Wed, 05 Jul 2006 03:26:44 GMT, "Bill K" <wk******@nospam.nc.rr.com>
wrote:

>Thanks for your responses but I can't have folks doing server side installs
or dll reg.
Does anyone have any ideas on how to do the domain name (or ip address)
method described below?

I'm thinking maybe I keep a crucial part of the code on my own server, then
if the request comes from a licensed domain they have permission to execute
the code. What do you all think?

>>
I 've purchased asp scripts myself in the past and had to provide a domain
name where it would be running. It would not run on any other domain but
the one I provided.