How to deliver a website to the customer VM (real server) with a trial period?

Question

I have a website that was writing using .net stack technologies. It is accessible via the internet. Some of my potential (Enterprise) customers want me to install the whole website on their own VM and we dealt with them that the website will live on their VM the only one month (it is enough time to test its functionality). They want to install the website locally because it is working with processing specific files that customers don't want to upload via the internet. My worries are to protect a few years of development from steal and reproducing. If the potential customers become to be Enterprise then we'll sign a EULA license and I'll remove licensing from the website at all on their server.

The first thing I decided to do is to protect the source code by applying obfuscation. The second thing is to modify the website to work somehow with a license file (probably customer VM will be offline without access to the internet). The main restrictions of license are: It is not allowed to move the website to the other VMs (need somehow to bind it to machine ID). It should stop responding to all incoming requests after the trial period (it could be any period), maybe just respond with a specific HttpStatusCode, like Service Unavailable.

I'm a skilled programmer but I didn't do such things before and I can implement my own license option. But I want to be sure about security and performance.

Could anyone provide the best practices they faced to implement what I need? Thanks.

Answer 1

In order for your code to be useful, it needs to be executed. In order to be executed, it needs to be understood by the CPU.

CPU's are much stupider than humans, therefore, if it can be understood by the CPU, it can be understood (read: reverse engineered) by a human.

If you don't want people to access your code, there are two possibilities:

1. Don't give them your code. (The "Google Model".) Host the application in your own server on your own premises and only offer access over a narrow, well-defined API.

2. Give them a black box. (The "XBox model".) Design and build your own computer with your own CPU, firmware, motherboard, hardware, Operating System, boot loader, drivers, etc. that is locked down and protected from reverse engineering and tampering. Only deliver your application pre-installed on such a box.

   Note that this is harder than it looks. E.g. gaming console manufacturers employ some of the most brilliant security specialists and cryptographers in the world, and yet, their consoles get invariably broken.

There is, however, a much simpler solution!

What you are describing in your question is a crime. So, if don't do business with criminals, you will be fine. Just make sure you have an open, fair, close relationship with your customers, and you offer them something of value.

If you are an open, fair, and reliable partner who offers high-quality services, then people who steal your software will lose all of that. Make sure that you are someone whom people don't want to lose as a partner.

Many, many years ago (maybe 15 years), I read a blog post by Chris Randall, co-founder and co-owner of Audio Damage, Inc. where he explains why their company, which is operating in a market where copy protection is the norm, does not, has never, and will never employ copy protection, why they offer a free trial period, and why they offer a no questions asked full refund policy even though they know that this means you can just buy their products, then get your money back, and keep using them forever.

Unfortunately, that article seems to have vanished from the WWW, but I just checked, and Audio Damage Inc. is still going strong, still uses no copy protection, and still offers free refunds. So, clearly, that strategy has not hurt them. The reasoning given in that blog post was similar to what I described above, with some added reasoning: developing copy protection takes time and resources, and any second spent developing copy protection is time you don't spend on making your product better or fixing bugs. Also, someone needs to pay for the time and resources spent on the copy protection, and since the people stealing your software are not paying for it, that means that your honest customers are the ones paying for the copy protection. And lastly, copy protection adds complexity, and thus a potential for bugs. The only people that get hurt by those bugs are your honest customers.