Forum Moderators: open

Message Too Old, No Replies

Protecting Your ASP Code

Hiding / Encrypting the source code

         

chris_f

12:16 pm on Sep 5, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi All,

I know this issue has come up in the past (I was only one of many people to raise it) but I have not seen it recently. Is there any way of encrypting / hiding your ASP (classic not .net) source code?

Here is my situation:
I code in classic ASP. I use no tools (other than notepad) to do this. Therefore, I have no development environment and create no dll's (which is a ruled out solution).

I have developed a small site in ASP for my local government. They are insistant on hosting it on their server. Therefore, I must release my code. However, they have just taken on 2 juniors who I believe are going to mimic my code and create a replicate of the app (and build future apps) which means I don't get paid. I, therefore, am reluctant to release my source code. Is there a way of me encrypting it so that IIS can process it but they can't read it.

I release this may mean purchasing a component for them to install on their server to decrypt the code for processing. This is not an issue. I have heard of a product called ASPCodeLock, however, the company no longer develop or sell the product. Is there anything similar anyone can recommend?

ATOB
Chris

chris_f

1:01 pm on Sep 5, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Just found the Microsoft Script Encoder [microsoft.com]. My search may be over.

<added>
- or not. It looks simple to decode.
</added>

ATOB
c

txbakers

1:11 pm on Sep 5, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I once looked into the script encoder and it was pretty nifty, but I noticed that it was an "either or" situation. I could either encode all my ASP scripts or my javascripts. For some reason I couldn't do both on the same page. I opted to code the ASP since that was where the bulk of the logic was kept.

However, I have since forgotten about that project, but need to think about it again as I might be providing stand alone versions of my product and need to encrypt the guts.

Which leads to me a product reference: There is an IIS Emulator available on the web now which allows you to run an ASP website from a CD drive or remote machine without having to install the PWS or IIS. This looks really cool.

chris_f

1:17 pm on Sep 5, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Correction: It is simple to decode

IIS Emulator? Nice. I will look into that. Thanks for the tip-off.

ATOB
c

macrost

6:11 am on Sep 6, 2003 (gmt 0)

10+ Year Member



Well I bought a copy of crypthtml, but I find that I'm having a hard time trying to get it to work with asp + js + html together on one page.

Mac

aspdesigner

8:21 pm on Sep 6, 2003 (gmt 0)

10+ Year Member



Script Encoder works. It's not unbreakable, but it should stop a junior programmer or client.

There are other things you can do as well. Try adding code to "lock" the program to that specific domain name, and obvuscate the code so it looks like part of the program's normal operation. Or hide a "key" file somewhere else in the directory structure, and then use FSO to confirm it's contents.

Make a detected violation of your security code generate a cryptic and unrelated error message, so if they try to steal your code, they think they made a decoding or programming mistake, and not tripped your anti-theft alarm.

So rather than:

"ERROR - ASP Theft Detected - This Code Only Licensed for host xyz.com"

you might say -

"ERR # 489331: Database structure mismatch - index key field invalid or read-only.
Please contact YourCompany Tech Support at 888-888-8888 for assistance"

They'll go nuts trying to find the error!

Or if you REALLY want to confuse the hell out of them - include files don't have to be named .asp or .inc.

Try putting critical code in an include, encode it, and then name it something fun like a .dll or .exe!

99% of the time, a programmer (even an experienced one), if they see a binary file named .dll, they will just assume it's an installed component! :)

txbakers

9:37 pm on Sep 6, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I like that last one! I'm going to try it.

Although if I'm nosing around someone else's application (strictly for educational purposes...) I will right click on the dll and see if it will open in Textpad.

But I do need to to something in the near future. As I distribute the program with that IIS emulator I'll need a way to hide the ASP code at least.

amoore

9:47 pm on Sep 6, 2003 (gmt 0)

10+ Year Member



While it doesn't exactly answer your question, you can explain to them that you will license them to use the code, but not modify, distribute, or create derivitives of it. If they would like to do any of those things, you can charge them for a more extensive license that will give them rights to do more with the code. Surely there's a dollar figure where you're both satisfied. It may be easier for you to solve the problem in this way than through a technical solution.

aspdesigner

10:48 pm on Sep 6, 2003 (gmt 0)

10+ Year Member



> I like that last one! I'm going to try it.

Glad you liked it!

> I will right click on the dll and see if it will open in Textpad.

Ah, but if the .dll file is also encrypted, they'll see garbage instead of text and assume its a component!

aspdesigner

12:17 am on Sep 7, 2003 (gmt 0)

10+ Year Member



- Accidental repost by clicking BACK button on my browser - deleted -

aspdaddy

1:09 pm on Sep 8, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I would go with amoores suggestion. You dont want to be encryting for these reasons.

If they are local govt, they must know how to deal with external developers and understand intellectual property issues.

By default uncompliled source code becomes the IP of the client upon payment. If you dont want this to happen make it clear.

aspdesigner

2:29 pm on Sep 8, 2003 (gmt 0)

10+ Year Member



> By default uncompliled source code becomes the IP of the client upon payment.

Actually, that is incorrect. Your copyrights as an author are influenced by such issues as employee vs. your own company, whether your contract included a written "work for hire" assignment clause, etc.

You do not, however, loose your rights as the author of a work simply by virtue of the format in which you provide that work to the client, particularly in the case of classic ASP/VBScript, where the source code and the executable version are the same thing!

While it is true that if you release your source code you may no longer be able to claim it a Trade Secret, but even that can be solved by having the client sign a non-disclosure.

But providing source code does not cause a loss of copyright. Technically, even publicly published source code does not become public domain absent a statement to that effect.

aspdaddy

2:58 pm on Sep 8, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Yes I know there are loads and loads of issues, but in practice when contracted to write asp - this is *usually* what happens.

My point was if you want any special terms, or want to licence the code rather than sell it - you must make them clear - get them in the contract.