6

I have some PHP source code that I'm hosting with hosting company XYZ. I'm using a PHP encryption software like Zend Guard or ionCube to protect the source from being viewed by anyone (sysadmin or hacker that hacks the sysadmin).

  • How easy/hard is it for someone who has full access to the system (like the sysadmin or hacker that hacks the sysadmin) to decrypt the source? I don't know how encryption software work, but I'm assuming they use some key, which would have to stay on the server and is therefore accessible to a sysadmin or a hacker. If you're technically-knowledgeable about the how-to, don't hesitate to offer an explanation in your answer.

  • Does the use of such source encryption slow down the site? If anyone has first-hand experience or knows from someone that has first-hand experience ;)

I'm interested in the technical aspects of this, how effective encryption is.. and its disadvantages, from those who used them or considered using them

Thanks (all helpful answers/comments are up voted)

Edit: the answers so far seem to be ignoring what I'm trying to understand.. I'm trying to understand the effectiveness of encryption. I don't really have any code that needs protection from the bad guys, the above was just an example, so advice like open source it or hire a lawyer don't really address my technical curiosity.. A+ to anyone who gets the point

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
Chris
  • 8,736
  • 18
  • 49
  • 56
  • 10
    If you don't trust your hosting company, don't use them. If you don't trust any hosting company, then be your own host. If you don't trust yourself... – Dominic Rodger Oct 11 '09 at 19:07
  • 6
    nobody is interested in your code –  Oct 11 '09 at 19:18
  • why do you want to do this? Paranoia? – Peter Oct 11 '09 at 19:27
  • 1
    @hop in fact there are many people interested in his code. Ever hear of the facebook code debuting as a new SNS startup in china a few years back? valid question. – eric Sep 04 '12 at 12:22

6 Answers6

7

Encryption (or encoder) schemes try to hide your code as an encrypted file. Obviously, the code has to be decrypted at execution time, which adds useless overhead. Some of these also insist that the host system install special routines, which the hosters intensely dislike, because they don't want to set up special configurations just for you. But the bad part is that they contain the seeds of their own undoing: to run on the target host, they must contain the decryption software. So if you use one, you deliver the very decryptor necessary to get at your code. Its only a matter of locating it; once found, your code is completely decryptable and exposed. These simply aren't safe.

Obfuscation schemes scramble the names of identifiers, remove comments and formatting. But the obfuscated code runs exactly like the original, with no overhead and no special runtime support needed. Obfuscators depend on the inherent difficulty in understanding programs in general. Programs are hard enough to understand when they are well designed, names are well chosen, and there are good comments in the code. We all hope our programs are well designed, but if the names are bad and the comments are gone, they're pretty hard to understand. Examine your own experience with other people's code.

People will say, "but anybody can inspect obfuscated code and understand it". That's true if you have a tiny application. If your application has any scale (tens of pages of code) it is extremely hard to understand what it is doing when all the variable names are scrambled. The bigger your code, the better obfuscation is at protecting it.

If you want to see examples of what one PHP obfuscator does, see our Thicket PHP Obfuscator.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
  • +1 for a great explanation. Is the point about scale your own observation or is it documented somewhere? – Chris Oct 11 '09 at 20:25
  • 2
    It my observation, but I think widely accepted by the reverse engineering community. If you have a large, well designed, well documented program, it is hard to understand. There's tons of tools to help people "understand" non-obfuscated code, and most people will tell you those tools don't really work that well. – Ira Baxter Oct 11 '09 at 20:29
7

Neither Zend Guard nor ionCube uses encryption, in it's mathematical sense, to protect your code. What they do, except the obfuscation already described by other answers, is encoding.

This is a process that's normally done automatically by the PHP interpreter each time your script is accessed - your PHP script is compiled into a bytecode format, that's then executed. What encoders like Zend Guard and ionCube essentially does is an equivalent process, only that it's done once, and then only the "compiled" bytecode is made available/uploaded to the server.

This means that actually recreating the very same code that you once wrote is entirely impossible. What is not impossible, and this goes for obfuscation as well, is reverse-engineering the compiled or obfuscated code to figure out what it's doing.

To summarize, I'd say that these products are very good at protecting your code - as opposed to protecting your logic.

eliego
  • 2,279
  • 2
  • 18
  • 22
  • It sounds like this would have significant performance benefits, is that the case? – Chris Thompson Oct 11 '09 at 20:21
  • 1
    I'm not sure, but I'd think so. Products like Zend Optimizer use this technique to achieve their performance benefit, and I can't see why you wouldn't get the same results with Zend Guard. – eliego Oct 11 '09 at 20:23
2

Why exactly do you need to encrypt your source code? If you are sporting this as a safe-guard against potential hackers, then please believe when I say that if they really wanted to decrypt your source code, they would do it. It is possible with ionCube, last time I checked.

As far as performance impacts, I believe Zend is a tad bit faster than ionCube due to it not requiring any extra files. But like I said before, don't rely on encryption for anything.

Chris S.
  • 173
  • 4
  • Thanks finally to someone who got my question :) So what do I need to decrypt code and how long would that take? – Chris Oct 11 '09 at 19:43
  • 1
    That depends; there are services that do this for a charge, and there is a piece of software called Dezender that can decrypt files. I would rather not go onto actual steps of reverse-engineering code, though. – Chris S. Oct 11 '09 at 20:01
  • Is there something similarly available for the ionCube. This is for an edu project, not external use. – Chris Oct 11 '09 at 20:22
1

If it can be executed it can be decompiled. Stick to your legal team for rights access, not encryption :) Better yet, open source your project :P

EDIT: 'Encryption' also adds heavily to execution times!

Al.
  • 2,872
  • 2
  • 22
  • 34
0

The only thing you can do against the hosting company is to have a good license and lawyer

Imran
  • 87,203
  • 23
  • 98
  • 131
Gabriel Solomon
  • 29,065
  • 15
  • 57
  • 79
-1

As far as I know, PHP encoders do not actually encode you PHP code. They just change variable names and add unnecessary rubbish code, so that it becames VERY hard for anyone to find out, what the code does. The problem is that they cannot hide any password (be it the hard coded admin password, or the database connection data).

So they do not ensure that your code is safe, they just make it very hard for anyone to understand it.

FlorianH
  • 3,084
  • 1
  • 19
  • 15
  • I thought the ones that change variable names and add rubbish were the obfuscators, no? I thought encryptors did something else, they used a key or something and supposedly were better at what they're supposed to do, no? – Chris Oct 11 '09 at 19:59