Ask HN: Should I open source my licensing server?
Recently developed an in-house "zero trust" license server based on PKI idea, blockchains, and proof-of-time, to convert a regular "vendor hosted" license server, into one that can be hosted on the buyer side. A lot of anti-piracy goes into obfuscation, and while I consider that defense-in-depth, I also consider obfuscating client-controlled code useless, and tried to make the system depend on cryptographic guarantees as much as possible. No such system where possibly adversarial clients control the license server, especially in an offline scenario, is perfect, but with immutable secure logs, and PKI chain of trust through a hierarchy of root authorities, I think we have a fairly solid approach.
Open sourcing might lay bare some flaws which could be fixed. Or it might lay bare some flaws which could be exploited. This is mostly theoretical, we will probably not OSS it right now, but I consider it a useful exercise to crowd-think through the possibilities.
In the rare chance that it is actually something novel, secure and useful, it might help other companies secure their deployments in a zero trust way.
29 comments
[ 2.9 ms ] story [ 76.6 ms ] threadDon't open source it because you want/need/expect other people to work on it because statistically, that is not going to happen.
Open sourcing your project will create more work for you, not less. Good luck.
Initially (2021?) one project had a bunch of OSS contributors who wanted to take part, but I felt scared to let go the reins and possibly needlessly suspicious of their praise and enthusiasm.. so I basically turned them all away, didn’t care for them, and they never came back. Felt sad.
Hahaha! :)
But I agree in the case of this licensing server in seems it might be rare to get people working on it. But if you do a show HN, you might get people picking apart security flaws, which is useful. From perspectives we haven’t thought about.
Probably gonna test it more, consider open sourcing later after a few proven deployments of this self hosted version.
Thanks for your practical comment. BTW- i like your writing and poetry at your blog, it’s cool. You have a style I’d feel happy read in fiction I think. Kind of elided, modern Ginsburg-ish, idk, but it’s good :)
I don't suppose one of them was Jia Tan? ;-)
People will tell me that simply open sourcing it will make help magically appear. Not to say that cannot happen (sometimes it does), but the odds are against it.
Looking at my own stuff people likely never appeared and contributed some code simply because my stuff is open source - and my stuff is much simpler, see for yourself: https://github.com/ericoporto?tab=repositories&q=&type=sourc...
We use CodeMeter. It is possible your product may be competitive to other SW license server products.
https://www.wibu.com/us/products/codemeter.html
I think with security products like this, open sourcing can be a good idea as it allows users to inspect the code and feel more confident that it is indeed secure. Plus you get feedback (and maybe even help) you wouldn’t otherwise get. And you can charge for services, etc even if open source (if you want).
https://www.gnu.org/philosophy/free-software-even-more-impor...
https://opensource.google/documentation/reference/why
If there are flaws(, and there are!) it might be preferable to have the chance to learn about them from grumpy security open source contributors than after the exploit
You’ll need a lot of money and stay in it for the long run to take on companies like that. It’s possible though.
Many pirates still buy games anyway, too.
My thinking on pirates is: marketers who work for free. Hahaha! :)
I can see the idea that the OP is suggesting but decades of keygens and hacking have taught us that if someone really wants to use your software without paying, then they will.
I've seen people craft elaborate ways around my own software licensing check when the actual "hack" is jaw droppingly simple (and is all on github), the point is that the people you need to concern yourself with are the people who will pay for a license.
That said, most licensing checks are simplistic and can be bypassed easily. I mean, this code:
if (licensed) then activate=true
is relatively easy to find and patch around by a motivated individual.
A better way would be to use a key from your key server to encrypt/decrypt their configuration, like with TOTP. But you still would have to make sure they didn't just bypass your encrypt/decrypt code.
Zero-trust approach: This is a strong foundation for security, eliminating the need to completely trust any component in the system. Leveraging PKI and blockchain: These technologies offer robust cryptographic guarantees and tamper-proof records. Focus on cryptographic guarantees: This prioritizes strong security over obfuscation, which can be bypassed with enough effort. Immutable secure logs: This provides an auditable trail of license activity, aiding in troubleshooting and potential legal situations. PKI chain of trust: Utilizing a hierarchy of root authorities strengthens the overall trust model. Considerations:
Open-sourcing: This can be a double-edged sword. While it might expose vulnerabilities, it also allows for community review and improvement. Consider a private beta with trusted security researchers before full open-source release. Offline scenarios: While not perfect, exploring options like pre-downloading licenses or implementing secure, limited offline functionality could further improve usability. Threat model: Clearly define the types of attacks you're trying to mitigate (e.g., unauthorized license use, license server compromise). Overall, your approach seems promising! Here are some additional thoughts:
Performance: Consider the impact on application performance, especially with blockchain interaction. Scalability: How will the system handle a large number of clients and licenses? Integration: How easily can it be integrated with existing licensing systems? Open-sourcing for crowd-think is a valuable exercise. Here are some ways to mitigate potential risks:
Security audit: Before open-sourcing, consider a professional security audit to identify and address any critical vulnerabilities. Phased release: Start with a limited open-source release, allowing trusted partners or researchers to review before a full public release. Strong license: Choose a license that allows for contributions while protecting your intellectual property. By carefully considering these points, you can build a robust and secure zero-trust licensing system that benefits your company and potentially the wider software community.