PHP源加密 - 有效性和缺点 [英] PHP Source Encryption - Effectiveness and Disadvantages
问题描述
-
对于完全访问系统的用户(如系统管理员或黑客攻击系统管理员)来解密源代码,有多容易/难处?我不知道加密软件如何工作,但我假设他们使用一些密钥,这将不得不停留在服务器上,因此可以访问系统管理员或黑客。如果您在技术上对知识的了解,请随时在您的答案中提供解释。
-
是否使用这样的源加密减慢网站?如果任何人有第一手的经验,或者知道拥有第一手经验的人;)
我有兴趣在技术方面,加密是如何有效的。它的缺点来自使用他们或考虑使用它们的人。
感谢(所有有用的答案/评论都是投票)
编辑:迄今为止的答案似乎忽略了我正在想要了解的内容..我正在努力了解加密的有效性。我真的没有任何代码需要保护的坏人,以上只是一个例子,所以建议,如开源或聘请律师,并不真正地解决我的技术好奇心。A +任何人谁得到点
加密(或编码器)方案会尝试将您的代码隐藏为加密文件。显然,代码必须在执行时解密,这增加了无用的开销。
其中一些还坚持主机系统安装特殊例程,主持人非常不喜欢,因为他们不想为您设置特殊配置。但不好的是它们包含了自己的撤销种子:要在目标主机上运行,它们必须包含解密软件。所以如果你使用一个,你提供的解密器是必要的,以获取你的代码。它只是一个定位的问题;一旦发现,您的代码是完全可解密和暴露的。这些只是不安全。
混淆方案争夺标识符的名称,删除注释和格式。但混淆代码的运行方式与原始操作完全相同,没有开销,并且不需要特殊的运行时支持。混淆器依赖于一般理解程序的内在困难。程序很难理解他们的设计是否精心设计,名称被选择良好,代码中有很好的评论。我们都希望我们的程序设计得很好,但如果名字不好,评论不见了,他们很难理解。检查自己的经验与其他人的代码。
人们会说,但任何人都可以检查模糊的代码,并了解它。如果你有一个微小的应用程序,那就是真的。如果你的应用程序有任何规模(几十页的代码),那么当所有的变量名被加扰时,它是非常难以理解它在做什么的。您的代码越大,更好的混淆就是保护它。
如果您想查看一个PHP混淆器的示例,请参阅我们的丛书PHP混淆器。
I have some PHP source code that I'm hosting with hosting company XYZ. I'm using a PHP encryption software like Zend Guard or ionCube to protect the source from being viewed by anyone (sysadmin or hacker that hacks the sysadmin).
How easy/hard is it for someone who has full access to the system (like the sysadmin or hacker that hacks the sysadmin) to decrypt the source? I don't know how encryption software work, but I'm assuming they use some key, which would have to stay on the server and is therefore accessible to a sysadmin or a hacker. If you're technically-knowledgeable about the how-to, don't hesitate to offer an explanation in your answer.
Does the use of such source encryption slow down the site? If anyone has first-hand experience or knows from someone that has first-hand experience ;)
I'm interested in the technical aspects of this, how effective encryption is.. and its disadvantages, from those who used them or considered using them
Thanks (all helpful answers/comments are up voted)
Edit: the answers so far seem to be ignoring what I'm trying to understand.. I'm trying to understand the effectiveness of encryption. I don't really have any code that needs protection from the bad guys, the above was just an example, so advice like open source it or hire a lawyer don't really address my technical curiosity.. A+ to anyone who gets the point
Encryption (or encoder) schemes try to hide your code as an encrypted file. Obviously, the code has to be decrypted at execution time, which adds useless overhead. Some of these also insist that the host system install special routines, which the hosters intensely dislike, because they don't want to set up special configurations just for you. But the bad part is that they contain the seeds of their own undoing: to run on the target host, they must contain the decryption software. So if you use one, you deliver the very decryptor necessary to get at your code. Its only a matter of locating it; once found, your code is completely decryptable and exposed. These simply aren't safe.
Obfuscation schemes scramble the names of identifiers, remove comments and formatting. But the obfuscated code runs exactly like the original, with no overhead and no special runtime support needed. Obfuscators depend on the inherent difficulty in understanding programs in general. Programs are hard enough to understand when they are well designed, names are well chosen, and there are good comments in the code. We all hope our programs are well designed, but if the names are bad and the comments are gone, they're pretty hard to understand. Examine your own experience with other people's code.
People will say, "but anybody can inspect obfuscated code and understand it". That's true if you have a tiny application. If your application has any scale (tens of pages of code) it is extremely hard to understand what it is doing when all the variable names are scrambled. The bigger your code, the better obfuscation is at protecting it.
If you want to see examples of what one PHP obfuscator does, see our Thicket PHP Obfuscator.
这篇关于PHP源加密 - 有效性和缺点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
