On 20/11/2023 12.02, Om Khade wrote:
Hey Kasper,
We have a method to securely distribute the key for decryption in a way
that the client won't be able to use it for decryption on his own but to
run the Django project we will have to decrypt the code at some
location, I want to make it hard for anyone to access it during this
transition. In the end, I want to make it hard for anyone to bypass the
licensing mechanism by making changes to the code or to understand the
validation logic in place to detect code changes.
Sure, you can make it "hard" with different kinds of obfuscation but in
the end the client will still have access to the key since the client
has full control over the machine including reading whatever is stored
in memory.
You can make the validation logic so complicated that it's harder to
reverse engineer but that will without doubt introduce a lot of bugs and
annoyances for your paying customers while you haven't effectively
stopped anyone from accessing your keys anyway.
Security by obscurity and DRM doesn't work and it's not worth trying to
implement.
That's just my (and many others) opinion of course. If you want to try
to implement something that is logically impossible to do then by all
means go ahead.
Kind regards,
Kasper Laudrup
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/75be0980-c31b-b458-a416-b7056f4a1fc3%40stacktrace.dk.