How to program a super simple software activation system?

Question

I have a piece of shareware that I wrote that I'd like to distribute on the internet. I have a serial number type thing set up but there is still a ton of key sharing :(. I'd like to add a system where once the user enters the serial, it is checked with my server to make sure that it is valid. Simplicity is key.

-Client sends MD5 of serial number to web page using php type thing "www.mywebsite.com?key=3434343"

-Php script takes MD5 and checks it against simple database. If MD5 key exists in database, it increments a counter associated with that key, and generates a webpage that displays a 1. If no entry in the database, the script generates a webpage that displays 0.

-Client reads webpage and checks for 0 or 1 and acts accordingly.

I will manually enter in valid keys (md5'd) in the database and monitor active keys for too many activations. I don't know anything about php so I don't know if this will work. Does this seem good enough? Are there blatant security holes? I will be using a shared host. Is there a better way? Thanks

Answer 1

There are actually several blatant security holes in your scheme.

The first is that users can redirect their local internet traffic to a site that pretends to be you, but always displays a "1".

The second is that each key would only be good for X "activations", but if the message is lost in transit, too bad - the counter is still incremented. You need some way to validate that everything is OK; viewing the page is not enough.

The third is that hacking the program to think it got a "1" from your site would be the easiest thing in the world.

Don't implement your own copy protection. It will just annoy legitimate users, while not even slowing down real pirates. Either use a sophisticated commercial system, or (better yet!) try to strike at whatever motive is leading users to steal your program. This might be that your price is too high, or perhaps they don't feel you respect them. People do things for a reason.

Answer 2

You're lacking a vital understanding of the key... the key is in form of MD5 which will contain both alpha and numeric characters, consider this as an example:

3c102d6b53a7a8723e694f1417c2abfe 

How are you going to generate the key? On what basis you generate the key from?

I also, see in this is the passing of the key to the website using the parameter like this:

www.mywebsite.com?key=3434343

It will take a while for the hacker to find a key...what with the advent of processor speed and key generation.... it will be cracked in no time, further more, you will be exposing your script.... do not underestimate what hackers/crackers can do to break the scripts... which is something you did not mention in your posting, no security defences of any kind!

Also, there's no mention of using security certificates to authenticate and not to scare off the end user or even worse, an antivirus scanner may flag the site as suspicious thus the end user is locked out of the application.....

BOTTOM LINE: Do not try security schemes like this as they are false economy, either way, it would be equivalent of a moth attracted to a flame, when an application "is protected", hackers/crackers will attempt to bypass it regardless of what you think..and you would be kidding yourself into thinking and deluding yourself that you're a brilliant programmer and that your dreamt-up-scheme is foolproof - DON'T...Stay away from these kind of schemes....