PHP Source Encryption - Effectiveness and Disadvantages
Asked Answered
T

6

6

I have some PHP source code that I'm hosting with hosting company XYZ. I'm using a PHP encryption software like Zend Guard or ionCube to protect the source from being viewed by anyone (sysadmin or hacker that hacks the sysadmin).

  • How easy/hard is it for someone who has full access to the system (like the sysadmin or hacker that hacks the sysadmin) to decrypt the source? I don't know how encryption software work, but I'm assuming they use some key, which would have to stay on the server and is therefore accessible to a sysadmin or a hacker. If you're technically-knowledgeable about the how-to, don't hesitate to offer an explanation in your answer.

  • Does the use of such source encryption slow down the site? If anyone has first-hand experience or knows from someone that has first-hand experience ;)

I'm interested in the technical aspects of this, how effective encryption is.. and its disadvantages, from those who used them or considered using them

Thanks (all helpful answers/comments are up voted)

Edit: the answers so far seem to be ignoring what I'm trying to understand.. I'm trying to understand the effectiveness of encryption. I don't really have any code that needs protection from the bad guys, the above was just an example, so advice like open source it or hire a lawyer don't really address my technical curiosity.. A+ to anyone who gets the point

Twelve answered 11/10, 2009 at 19:0 Comment(4)
If you don't trust your hosting company, don't use them. If you don't trust any hosting company, then be your own host. If you don't trust yourself...Mauritamauritania
nobody is interested in your codePanegyric
why do you want to do this? Paranoia?Ringed
@hop in fact there are many people interested in his code. Ever hear of the facebook code debuting as a new SNS startup in china a few years back? valid question.Copycat
P
7

Encryption (or encoder) schemes try to hide your code as an encrypted file. Obviously, the code has to be decrypted at execution time, which adds useless overhead. Some of these also insist that the host system install special routines, which the hosters intensely dislike, because they don't want to set up special configurations just for you. But the bad part is that they contain the seeds of their own undoing: to run on the target host, they must contain the decryption software. So if you use one, you deliver the very decryptor necessary to get at your code. Its only a matter of locating it; once found, your code is completely decryptable and exposed. These simply aren't safe.

Obfuscation schemes scramble the names of identifiers, remove comments and formatting. But the obfuscated code runs exactly like the original, with no overhead and no special runtime support needed. Obfuscators depend on the inherent difficulty in understanding programs in general. Programs are hard enough to understand when they are well designed, names are well chosen, and there are good comments in the code. We all hope our programs are well designed, but if the names are bad and the comments are gone, they're pretty hard to understand. Examine your own experience with other people's code.

People will say, "but anybody can inspect obfuscated code and understand it". That's true if you have a tiny application. If your application has any scale (tens of pages of code) it is extremely hard to understand what it is doing when all the variable names are scrambled. The bigger your code, the better obfuscation is at protecting it.

If you want to see examples of what one PHP obfuscator does, see our Thicket PHP Obfuscator.

Plethora answered 11/10, 2009 at 20:0 Comment(2)
+1 for a great explanation. Is the point about scale your own observation or is it documented somewhere?Twelve
It my observation, but I think widely accepted by the reverse engineering community. If you have a large, well designed, well documented program, it is hard to understand. There's tons of tools to help people "understand" non-obfuscated code, and most people will tell you those tools don't really work that well.Plethora
A
7

Neither Zend Guard nor ionCube uses encryption, in it's mathematical sense, to protect your code. What they do, except the obfuscation already described by other answers, is encoding.

This is a process that's normally done automatically by the PHP interpreter each time your script is accessed - your PHP script is compiled into a bytecode format, that's then executed. What encoders like Zend Guard and ionCube essentially does is an equivalent process, only that it's done once, and then only the "compiled" bytecode is made available/uploaded to the server.

This means that actually recreating the very same code that you once wrote is entirely impossible. What is not impossible, and this goes for obfuscation as well, is reverse-engineering the compiled or obfuscated code to figure out what it's doing.

To summarize, I'd say that these products are very good at protecting your code - as opposed to protecting your logic.

Artery answered 11/10, 2009 at 20:10 Comment(2)
It sounds like this would have significant performance benefits, is that the case?Razz
I'm not sure, but I'd think so. Products like Zend Optimizer use this technique to achieve their performance benefit, and I can't see why you wouldn't get the same results with Zend Guard.Artery
M
2

Why exactly do you need to encrypt your source code? If you are sporting this as a safe-guard against potential hackers, then please believe when I say that if they really wanted to decrypt your source code, they would do it. It is possible with ionCube, last time I checked.

As far as performance impacts, I believe Zend is a tad bit faster than ionCube due to it not requiring any extra files. But like I said before, don't rely on encryption for anything.

Menticide answered 11/10, 2009 at 19:34 Comment(3)
Thanks finally to someone who got my question :) So what do I need to decrypt code and how long would that take?Twelve
That depends; there are services that do this for a charge, and there is a piece of software called Dezender that can decrypt files. I would rather not go onto actual steps of reverse-engineering code, though.Menticide
Is there something similarly available for the ionCube. This is for an edu project, not external use.Twelve
V
1

If it can be executed it can be decompiled. Stick to your legal team for rights access, not encryption :) Better yet, open source your project :P

EDIT: 'Encryption' also adds heavily to execution times!

Voltaism answered 11/10, 2009 at 19:29 Comment(0)
D
0

The only thing you can do against the hosting company is to have a good license and lawyer

Dreadful answered 11/10, 2009 at 19:13 Comment(0)
P
-1

As far as I know, PHP encoders do not actually encode you PHP code. They just change variable names and add unnecessary rubbish code, so that it becames VERY hard for anyone to find out, what the code does. The problem is that they cannot hide any password (be it the hard coded admin password, or the database connection data).

So they do not ensure that your code is safe, they just make it very hard for anyone to understand it.

Pearce answered 11/10, 2009 at 19:43 Comment(1)
I thought the ones that change variable names and add rubbish were the obfuscators, no? I thought encryptors did something else, they used a key or something and supposedly were better at what they're supposed to do, no?Twelve

© 2022 - 2024 — McMap. All rights reserved.