Identifying unique installations of WHMCS

[Kian]

Let's say we want to identify 100% unique installations of WHMCS. Given that IPs, paths and domain names are absolutely unreliable, what would you use?

I was thinking about WHMCS license key since every WHMCS has one and it cannot be used more than once. Is there any other option besides this one?

Keep in mind that I cannot use things hardware ID. It must work in PHP in any possible environment.

Thanks.

[Remitur]

Licence key is stored in tblconfiguration, so I guess you can freely use it for licence check...

[yggdrasil]

On 4/2/2020 at 5:35 PM, Kian said:

Let's say we want to identify 100% unique installations of WHMCS. Given that IPs, paths and domain names are absolutely unreliable, what would you use?

I was thinking about WHMCS license key since every WHMCS has one and it cannot be used more than once. Is there any other option besides this one?

Keep in mind that I cannot use things hardware ID. It must work in PHP in any possible environment.

Thanks.

So your idea is to get others people license keys and send them to your servers? Sounds like a serious breach of privacy and security.

Reasons like that are why I would never install an encoded module or third party add-on on my servers if I cannot vet the code.

Edited April 5, 2020 by yggdrasil

[Kian]

1 hour ago, yggdrasil said:

So your idea is to get others people license keys and send them to your servers? Sounds like a serious breach of privacy and security. 

I could get ANY information I want from your WHMCS (income, customers, server passwords, EPPCodes to transfer domains...) using a simple and small PHP script. You don't need a WHMCS module or an encoded script to do that. I could get all I want even with an open-source code that looks okay unless you're a skilled developer and you know how to read between the lines.

1 hour ago, yggdrasil said:

So your idea is to get others people license keys and send them to your servers?

I don't give a damn about WHMCS license keys. What should I do with that? I can't even use them for myself since every license is tied to domain, IP and path. What I'm trying to do is to find a better and more reliable way to perform license checks. I'm talking about Licensing Addon that is terribly bugged and full of flaws. I don't want to explain details since I have already wasted en enormous amount of time over the years to patch this mess. You can't imagine how stupid is that script and how fixing it sometime is not even possible. It's depressing like watching Di Caprio's death in Titanic.

Now "thanks" to COVID-19 (I'm from Italy) I have free time to look for alternatives and perform some tests. The plan is to use something more "stable" than a storm of IPv4, IPv6, hostnames and domain names that vary depending on daemon, virtual-host, root, www, curl, get contents, stream_context_create, cloudflare (or whatever platform is in use) etc.

Edited April 5, 2020 by Kian

[Remitur]

1 hour ago, yggdrasil said:

So your idea is to get others people license keys and send them to your servers? Sounds like a serious breach of privacy and security.

No issue: WHMCS licence key is stored in db in encrypted form: what you get (and can use to do your own check) is just an hash.

But the hash - as the original key itself - it's unique, and this is all you need... 

(BTW: I'm not sure if this hash change when you reissue the licence of WHMCS: being so, each time you reissue the WHMCS licence, then should reissue also your module's licence... only way to be sure about this is testing)

[yggdrasil]

1 hour ago, Kian said:

I could get ANY information I want from your WHMCS (income, customers, server passwords, EPPCodes to transfer domains...) using a simple and small PHP script. You don't need a WHMCS module or an encoded script to do that. I could get all I want even with an open-source code that looks okay unless you're a skilled developer and you know how to read between the lines.

I don't give a damn about WHMCS license keys. What should I do with that? I can't even use them for myself since every license is tied to domain, IP and path. What I'm trying to do is to find a better and more reliable way to perform license checks. I'm talking about Licensing Addon that is terribly bugged and full of flaws. I don't want to explain details since I have already wasted en enormous amount of time over the years to patch this mess. You can't imagine how stupid is that script and how fixing it sometime is not even possible. It's depressing like watching Di Caprio's death in Titanic.

Now "thanks" to COVID-19 (I'm from Italy) I have free time to look for alternatives and perform some tests. The plan is to use something more "stable" than a storm of IPv4, IPv6, hostnames and domain names that vary depending on daemon, virtual-host, root, www, curl, get contents, stream_context_create, cloudflare (or whatever platform is in use) etc.

But are your customers constantly changing the domain/path installation that offend that it is causing a problem with tracking their installations? Why not license your software based on domain and charge them if they want to change the domain. Maybe a small fee each time they want to change the licensed domain, assuming you are tired of doing the process manually, this can probably be automated if they request it with a ticket or form on your site. What problem are you trying to solve exactly?

[CodeCo]

If you have a load balanced setup, WHMCS allows a license key to be used on multiple instances and IPs but force the same path and domain. 

If you're just trying to match against a single company then I think license keys are the way to go (assuming they are hashed or you make a checksum of it or something) as they probably change less often than the domain, path or IP. 

[Remitur]

1 hour ago, yggdrasil said:

 Why not license your software based on domain and charge them if they want to change the domain. 

It's quite easy to trick just the domain linked to WHMCS license.

There're is also a module which allows you to use same WHMCS install with a number of different domains (each one with different theme, language etc.)

 

[Kian]

Wait guys 🤣 I have no problem with licensing system.

As I said I've already fixed everything a lot of years ago. The problems I'm referring to have nothing to do with people changing domains, IPs, paths, multi-IPs, load, or multi-domain environments. I'm talking about user-agents, on how php runs during curl(), crons, wget, www, streams, server configuration and some other stuff that can cause nasty situations but...

3 hours ago, Kian said:

I don't want to explain details since I have already wasted en enormous amount of time over the years to patch this mess.

I just want to...

3 hours ago, Kian said:

look for alternatives

Simply put I want to try a different a approach to licensing that is not based on these damned IPs, domains and paths. This way I can achieve three goals:

1. Making things easier for end-users. They could change server, domains, paths, IP or whatever they want without worrying about pressing a "Reissue License" button somewhere on some website
2. Making things easier for me since I no longer have to use so many fallbacks to handle particular situations and most importantly get rid of Licensing Addon entirely so that I can host the licensing server on a separate domain/server replicated all over the world
3. I'd like to sell licenses of my modules like Steam where people purchase license keys everywhere they want without even registering. They can install and play the videogame by pressing "Add a Game" and inserting the license key. This way I could sell licenses in bulk to sales representatives, account managers, IT people... who knows... 😋

Edited April 5, 2020 by Kian

[Kian]

Anyway back on topic I don't like the idea of relying on WHMCS license keys since it's something I can't control. What if one day WHMCS becomes free? 😋 There must be another value I can use. Basically I'm trying to find a sort or "license plate" that can identify an installation of WHMCS.

Edited April 5, 2020 by Kian

[yggdrasil]

10 hours ago, Remitur said:

It's quite easy to trick just the domain linked to WHMCS license.

There're is also a module which allows you to use same WHMCS install with a number of different domains (each one with different theme, language etc.)

 

Sure, but there is no 100% bullet proof system except the cloud, running software on your own servers and not giving customers access. When you let people run on premise, they can and will find ways to defeat what ever system you implement. The game industry has tried ways, the video industry, nobody could find a system, its impossible. License and keys are just an extra measure, but they don't prevent software theft, you prevent that by giving additional valued services like support, updates, etc. If you let people download software and use it on their systems, they can tamper with it.

[yggdrasil]

9 hours ago, Kian said:

Anyway back on topic I don't like the idea of relying on WHMCS license keys since it's something I can't control. What if one day WHMCS becomes free? 😋 There must be another value I can use. Basically I'm trying to find a sort or "license plate" that can identify an installation of WHMCS.

Why not add your own license plate system when users install your module or addon? Just add a unique hash or key to each installation and then you don't need to rely on the WHMCS license key.

[mfoland]

@Kian send me a PM. I may have an idea, and it's something I'm actually trying to work on.

[Kian]

Sorry for the late reply.

On 4/6/2020 at 4:25 AM, yggdrasil said:

Why not add your own license plate system when users install your module or addon? Just add a unique hash or key to each installation and then you don't need to rely on the WHMCS license key. 

A "plate generator" can't help me to identify unique installations of WHMCS. It would only move the problem to another place.

On 4/15/2020 at 7:07 AM, mfoland said:

@Kian send me a PM. I may have an idea, and it's something I'm actually trying to work on.

Okay.