I've got a product that ships as a zip file. I'd like to add some security to it or perhaps a password or license key to deter unauthorized trading of the file. Any tips?
Just password protect the zip.
Related
How can I secure a password so that it is hidden in Orca?
Short answer is no, so it's a question of how secure you need to be.
If you want to secure the values from casual observers, use code such as the Crypto API to store the encrypted value in the property table at build time and decrypt it into another property at install time. This is not totally secure because a determined user could reverse-engineer your decryption code in the MSI custom action and figure out what you're doing. It's "security by obscurity". You could perhaps obfuscate your code also.
Make sure you declare all the properties as Hidden in WiX so they are not exposed in an installation log file.
If this is a corporate environment, perhaps you could arrange to get the passwords from a secure location at install time, again into properties marked Hidden ao they are not in the MSI file at all.
I am a new user for apache-tomcat-7.0.52. I need to develop some authentication module for my application and need to understand if it is possible to store users encrypted passwords in a separate file and if so how should I do that. My authentication module probably should contain password file compatible with apache-tomcat-7.0.52, so first I need to find out the format of that file.
Thank you,
-Grigor
I recently got a new code signing certificate. I'm using MSBuild's SignFile task to sign an application manifest. For some reason the task is returning:
MSB3481: The signing certificate could not be located.
Ensure that it is in the current user's personal store.
The certificate is definitely in my personal store, I can see it in certmgr.msc. And I believe that I'm logged in as the same user since I'm able to sign the manifest using a different certificate that is in the same personal store. Not sure why this new certificate cannot be found.
I'm even able to use signtool.exe with the new certificate's SHA1 to sign files just fine. But I would really prefer to use our existing MSBuild with the SignFile task. Any ideas what could be going wrong here?
I've also tried importing the certificate with and without the complete certification path.
I not sure that this could help, but I remember that if you are copying thumbprint from snap-in field, there is an "invisible" symbol in first position.
So this thumbprint with that non-printable can't be located in your store. Try to remove 3-5 symbols from beginning of certificate thumbprint (including quotes) and type them manually.
Also take in account that thumbprint should be all uppercase (despite that property displayed in lowercase).
I've been comparing a tool called Coffee Cup Website Access Mangaer, which generates htpaswrd files and assists in multi user management, against cPanel's password protection functionality.
With the cPanel functionality, when accessing the directory I receive a browser warning "Warning this server is requesting your username and password be sent in an insecure manner..." because the passwords are sent in plain text and vunerable to pack sniffing.
But with credentials created with the coffee cup product I get no such warning. It is hashing the passwords, but presumably it's vulnerable in the same way as cPanel passwords.
#User Password File - 05/01/2012 15:14:56
username:$1$sa$Wo.g/ovtw8B//SAgNBbFP1
username:$1$sa$mSD/s4oNRerHapqlNkL321
I had always assumed cPanel was just creating htpaswrd files just like this program, and can find no information as to what the difference between the two might be.
Any thoughts appreciated as always.
As long as you use HTTP and not HTTPS, the password will be sent in plain text at some point. I don't know what authentication shceme does cPanel use, but maybe cPanel is defaulting to http while the other option isn't, which would explain the difference.
I have a wordpress theme that I support and upgrade frequently.
It contains a built in upgrader routine that takes a zip file containing the updated files and extracts to the theme directory, overwriting the old files.
I'd like to add a license verification routine to this upgrader routine that asks for the users's email address and password, then does a remote call to my member's database and verifies that the email and password are valid before allowing the routine to continue.
Is this a simple task? What approach would you take? The upgrade request will come from anywhere on the net and will have to call back to my server for the verification.
Its very similar to what WPRobot does to validate upgrades with known email addresses.
Your suggested method is just security through obscurity. The user can easily remove the client-side license check. If you have to do this, a simple way is to use HTTP Basic Auth. Have the client request the zip file with their credentials, and respond with the zip (correct credentials) or 401 Authorization Required (otherwise).