Are CA certs of any value in reducing piracy?

DSP, Plug-in and Host development discussion.
Fender19
KVRist
292 posts since 30 Aug, 2012

Post Mon Sep 09, 2019 10:13 am

Curious if CA certs can be used as a means to reduce software piracy - assumption being that pirated software is often infused with malware (i.e., it should no longer match the original file).

I have played around with "self-signed" certs but was able to edit the plugin file (.dll) with a hex editor after signing and it still ran without issue. In other words, self-signed cert didn't have any effect.

I already use Pace signing for Pro Tools (AAX plugins) and that does a great job of stopping altered code in Pro Tools. It seems there should be a similar way to do this with VST and AU plugins using CA signing, yes/no? I would like to avoid going full Pace/iLok (which many customer hate) and am willing to sacrifice SOME protection to do that but want to stop piracy best I can otherwise.

Any input appreciated!

User avatar
kingozrecords
KVRist
95 posts since 7 Apr, 2019

Re: Are CA certs of any value in reducing piracy?

Post Mon Sep 09, 2019 4:44 pm

The best way to avoid is low prices. 15 dollars is the magic number. 28 is also good. Those two and piracy just doesn't happen. Quite often people have pirated just to test the real thing and never even use them, because frankly they're often not worth the price.

User avatar
BertKoor
KVRAF
11236 posts since 8 Mar, 2005 from Utrecht, Holland

Re: Are CA certs of any value in reducing piracy?

Post Mon Sep 09, 2019 10:04 pm

Malware != altered. Malware does truely malicious things other than circumventing your protection.

Self-signed certificates can never be checked, since there is no authority to verify with.

Anyone can get a proper certificate and sign the changed code again. It's only good for the most basic forms of tampering.

Low price to avoid it? False. Even freeware gets cracked, just because they can.
We are the KVR collective. Resistance is futile. You will be assimilated. Image
My MusicCalc is back online!!

Fender19
KVRist
292 posts since 30 Aug, 2012

Re: Are CA certs of any value in reducing piracy?

Post Tue Sep 10, 2019 8:38 am

BertKoor wrote:
Mon Sep 09, 2019 10:04 pm
Anyone can get a proper certificate and sign the changed code again.
What if the original cert info was somehow searched for in the code? In other words, different cert, code doesn't work. If using a pre-established .p12 cert could info from that cert be used to key the code? Seems even a self-signed cert might work if this is possible.

User avatar
BertKoor
KVRAF
11236 posts since 8 Mar, 2005 from Utrecht, Holland

Re: Are CA certs of any value in reducing piracy?

Post Tue Sep 10, 2019 9:03 am

It can (and will) be circumvented in the changed code. Only low-level enforcement of a underlying platform / OS can help there. So it's not going to happen.
We are the KVR collective. Resistance is futile. You will be assimilated. Image
My MusicCalc is back online!!

Fender19
KVRist
292 posts since 30 Aug, 2012

Re: Are CA certs of any value in reducing piracy?

Post Tue Sep 10, 2019 9:15 am

BertKoor wrote:
Tue Sep 10, 2019 9:03 am
It can (and will) be circumvented in the changed code. Only low-level enforcement of a underlying platform / OS can help there. So it's not going to happen.
OK, what options are there for active code protection besides something like iLok or some incredibly complicated web-based challenge/response system? I know there are some clever folks here who have their own means. Any input appreciated!

User avatar
BertKoor
KVRAF
11236 posts since 8 Mar, 2005 from Utrecht, Holland

Re: Are CA certs of any value in reducing piracy?

Post Tue Sep 10, 2019 10:52 am

Sure, 21 pages of good ideas, especially look at contributions from Urs.
viewtopic.php?f=33&t=472847

Haven't we pointed you to this already?
Apparently yes.

One of the most important aspects is to not care about it anymore. Or at least, not as much...

What do you enjoy most: coding plugins or fighting the pirates? Do you really lose anything with the cracks? Got numbers to prove that?

In short: pick your battle.
We are the KVR collective. Resistance is futile. You will be assimilated. Image
My MusicCalc is back online!!

User avatar
Richard_Synapse
KVRian
897 posts since 20 Dec, 2010

Re: Are CA certs of any value in reducing piracy?

Post Thu Sep 12, 2019 1:04 am

BertKoor wrote:
Mon Sep 09, 2019 10:04 pm
Malware != altered. Malware does truely malicious things other than circumventing your protection.

Self-signed certificates can never be checked, since there is no authority to verify with.

Anyone can get a proper certificate and sign the changed code again. It's only good for the most basic forms of tampering.
Getting a code certificate is quite complex, and fairly expensive too. Maybe there's stolen certificates out there, dunno. It seems to me that e.g. the requirement to sign AAX plugins makes it at least a lot more tedious for crackers though.
BertKoor wrote:
Mon Sep 09, 2019 10:04 pm
Low price to avoid it? False. Even freeware gets cracked, just because they can.
Yep. There used to be a few groups that didn't crack cheap software (with the idea to support indie devs), unfortunately this is/was entirely useless because others still go ahead and crack whatever they can.

Richard
Synapse Audio Software - www.synapse-audio.com

Return to “DSP and Plug-in Development”