Are CA certs of any value in reducing piracy?
-
- KVRian
- Topic Starter
- 626 posts since 30 Aug, 2012
Curious if CA certs can be used as a means to reduce software piracy - assumption being that pirated software is often infused with malware (i.e., it should no longer match the original file).
I have played around with "self-signed" certs but was able to edit the plugin file (.dll) with a hex editor after signing and it still ran without issue. In other words, self-signed cert didn't have any effect.
I already use Pace signing for Pro Tools (AAX plugins) and that does a great job of stopping altered code in Pro Tools. It seems there should be a similar way to do this with VST and AU plugins using CA signing, yes/no? I would like to avoid going full Pace/iLok (which many customer hate) and am willing to sacrifice SOME protection to do that but want to stop piracy best I can otherwise.
Any input appreciated!
I have played around with "self-signed" certs but was able to edit the plugin file (.dll) with a hex editor after signing and it still ran without issue. In other words, self-signed cert didn't have any effect.
I already use Pace signing for Pro Tools (AAX plugins) and that does a great job of stopping altered code in Pro Tools. It seems there should be a similar way to do this with VST and AU plugins using CA signing, yes/no? I would like to avoid going full Pace/iLok (which many customer hate) and am willing to sacrifice SOME protection to do that but want to stop piracy best I can otherwise.
Any input appreciated!
- KVRian
- 1311 posts since 7 Apr, 2019 from Canada
The best way to avoid is low prices. 15 dollars is the magic number. 28 is also good. Those two and piracy just doesn't happen. Quite often people have pirated just to test the real thing and never even use them, because frankly they're often not worth the price.
DSPplug Products https://www.kvraudio.com/marketplace/dspplug
DSPplug website https://dspplug.com
DSPplug Linkedin https://linkedin.com/in/rjbellis
DSPplug website https://dspplug.com
DSPplug Linkedin https://linkedin.com/in/rjbellis
- KVRAF
- 15269 posts since 8 Mar, 2005 from Utrecht, Holland
Malware != altered. Malware does truely malicious things other than circumventing your protection.
Self-signed certificates can never be checked, since there is no authority to verify with.
Anyone can get a proper certificate and sign the changed code again. It's only good for the most basic forms of tampering.
Low price to avoid it? False. Even freeware gets cracked, just because they can.
Self-signed certificates can never be checked, since there is no authority to verify with.
Anyone can get a proper certificate and sign the changed code again. It's only good for the most basic forms of tampering.
Low price to avoid it? False. Even freeware gets cracked, just because they can.
We are the KVR collective. Resistance is futile. You will be assimilated.
My MusicCalc is served over https!!
My MusicCalc is served over https!!
-
- KVRian
- Topic Starter
- 626 posts since 30 Aug, 2012
What if the original cert info was somehow searched for in the code? In other words, different cert, code doesn't work. If using a pre-established .p12 cert could info from that cert be used to key the code? Seems even a self-signed cert might work if this is possible.
- KVRAF
- 15269 posts since 8 Mar, 2005 from Utrecht, Holland
It can (and will) be circumvented in the changed code. Only low-level enforcement of a underlying platform / OS can help there. So it's not going to happen.
We are the KVR collective. Resistance is futile. You will be assimilated.
My MusicCalc is served over https!!
My MusicCalc is served over https!!
-
- KVRian
- Topic Starter
- 626 posts since 30 Aug, 2012
OK, what options are there for active code protection besides something like iLok or some incredibly complicated web-based challenge/response system? I know there are some clever folks here who have their own means. Any input appreciated!
- KVRAF
- 15269 posts since 8 Mar, 2005 from Utrecht, Holland
Sure, 21 pages of good ideas, especially look at contributions from Urs.
viewtopic.php?f=33&t=472847
Haven't we pointed you to this already?
Apparently yes.
One of the most important aspects is to not care about it anymore. Or at least, not as much...
What do you enjoy most: coding plugins or fighting the pirates? Do you really lose anything with the cracks? Got numbers to prove that?
In short: pick your battle.
viewtopic.php?f=33&t=472847
Haven't we pointed you to this already?
Apparently yes.
One of the most important aspects is to not care about it anymore. Or at least, not as much...
What do you enjoy most: coding plugins or fighting the pirates? Do you really lose anything with the cracks? Got numbers to prove that?
In short: pick your battle.
We are the KVR collective. Resistance is futile. You will be assimilated.
My MusicCalc is served over https!!
My MusicCalc is served over https!!
-
Richard_Synapse Richard_Synapse https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=245936
- KVRian
- 1136 posts since 20 Dec, 2010
Getting a code certificate is quite complex, and fairly expensive too. Maybe there's stolen certificates out there, dunno. It seems to me that e.g. the requirement to sign AAX plugins makes it at least a lot more tedious for crackers though.BertKoor wrote: ↑Tue Sep 10, 2019 6:04 am Malware != altered. Malware does truely malicious things other than circumventing your protection.
Self-signed certificates can never be checked, since there is no authority to verify with.
Anyone can get a proper certificate and sign the changed code again. It's only good for the most basic forms of tampering.
Yep. There used to be a few groups that didn't crack cheap software (with the idea to support indie devs), unfortunately this is/was entirely useless because others still go ahead and crack whatever they can.
Richard
Synapse Audio Software - www.synapse-audio.com