License Validation API
- Thread starter Mike
- Start date
Adam Howard
Well-known member
I'm not liking the token system.
For starters.... I and a few other people could easily make a keygen to generate tokens. It would be hit and miss, but anything that generates a code can be cracked.
I only mention this because I've seen such a system done for another software (web software, such as forums or blogs). Before you know it, you've got people validating themselves as other people.
And then there is the idea that you can only have 1 key (token) generated at a time. If I am doing business with more than one person at the same time.... Must I wait for them to check it? How would I know when they did?
X person maybe online today and Y person maybe online 3 days from now, but if I send Y person a token... I could have hit up X person sooner.
This is all coming down to... I would much rather have a nice "verified" in my postbit.
For starters.... I and a few other people could easily make a keygen to generate tokens. It would be hit and miss, but anything that generates a code can be cracked.
I only mention this because I've seen such a system done for another software (web software, such as forums or blogs). Before you know it, you've got people validating themselves as other people.
And then there is the idea that you can only have 1 key (token) generated at a time. If I am doing business with more than one person at the same time.... Must I wait for them to check it? How would I know when they did?
X person maybe online today and Y person maybe online 3 days from now, but if I send Y person a token... I could have hit up X person sooner.
This is all coming down to... I would much rather have a nice "verified" in my postbit.
1,208,925,819,614,629,174,706,176 potential tokens per domain.
Use my domain, p8ntballer-forums.com
Come back when you crack my token.
Adam Howard
Well-known member
The token generator is nothing more than a key generator, with each key only being able to be used once. Right now, sure... There are not many XenForo customers and the odds are low.
But as you add more customer or to the point, more individual licenses ... Those odds go up.
Microsoft Windows couldn't keep their "keys" (tokens) secure.... We're talking a multi-billion dollar company who spent millions trying to develop an algorithm that could not be cracked.
And tested "one time use keys" (before genuine advantage) and they too failed.
The changing variable is the number of licenses sold.
People crack things because they gain something out of it. Why would you waste your time to crack a validation token of a forum software customer?
Cracking isn't worth it. And also not that easy.
It would be easier to pretent being a developer and collect those tokens...
Sometimes in the future you may also find token lists for sale. ;-)
IMHO this is a very usable system for this very special need. Similar system is also used at domain registries. I am sure it helps to reduce the work load at XF with verification tickets. They even can expand it and allow an automatic transfer of licenses with a special "transfer token".
However, I support your official "XF Verified" badge suggestion. This would be a nice thing to have in addition to the verification API. And it would also be not too complicated to implement.
Let me tell you how low.
Given the 1000 limit per IP per day.
If you used that 1000 limit, on every single IPv4 in existance, it would take you aproximately 800 million years to go through every key possible.
Like I said. Good luck
The idea isnt to add a call home check into addons, as you say, easy to remove.
The system is in place so that addon authors can have a tool to help verify the people they are selling to before hand.
Adam Howard
Well-known member
I can think of 2 reasons
- Because they can (that if often #1)
- Because it will be easier to get nulled stuff
Pirate: Well here you go Mr Developer. My poof that I am a valid custom. Here is my key.
Developer: Thanks. Here is your software
Pirate: Thank you
Developer: Why is my stuff being uploaded to null site? I only sold them to X, Y, Z
X: I never bought anything
Y: Who are you?
Z: ???
Pirate: Wow, sorry to hear X, Y, Z, can't be trusted. Here is my key, I can be trusted.
Shelley
Well-known member
I think the point here Adam (not having a dig) is atleast xenforo are trying which is more than can be said for other companies who couldn't give a toss about the 3rd party developers just as long as they're making a quick buck. I think it's great to see this come into action.
Anyhow just my 2 cents worth. Excellent work xf team, i mean that.
Mike Edge
Well-known member
Maybe make it the token and domain both must match before the token verifies. I was sad though the system wasn't just like WHMCS's validate http://www.whmcs.com/members/verifydomain.php where you simply put in the domain. As a host, I would love something like that as most pirated boards turn out to be fraud too, so that would allow me to catch fraud from the start plus report a pirated domain to xF.
This reason would apply if XenForo were Sony. XenForo ain't no Sony.
Adam Howard
Well-known member
You're not thinking outside the box....Let me tell you how low.
Given the 1000 limit per IP per day.
If you used that 1000 limit, on every single IPv4 in existance, it would take you aproximately 800 million years to go through every key possible.
Like I said. Good luck
Someone legitimately buys a copy of XenForo (perfectible more than one or has others willing to help). They in turn generate a few keys (using you API). In turn they are able to decode the algorithm. From there they make a keygen.
You're IP limit is a mute point.
It's not a key so there is no way to make a keygen...
You assume the generation of the key is based upon predictable or static components
You could have a million keys, it won't help you work out a formula to generate them.
Similar threads
- Locked
