On Fri, Oct 2, 2020 at 10:08 AM David Rodrigues <david.pro...@gmail.com> wrote: > > Hello folks, > > Instead of an opcode without a php source file, that I imagine is to > protect the code itself, why not a method to encrypt phar files (not like a > password). I do not know if exists a secure method to decrypt to execute > only, without reveals the original source code, but maybe it could be done. > So opcode could be generated based on encrypted phar to give more speed. > >
The flaw with decryption is that the image will have to get the decryption key from somewhere. The history of the DVD industry over the past 25 years has shown that getting that key to an untrusted device and then keeping it secret is much harder than it looks (when people care enough to go after the key, even hardware locks can be made to fail). Or look at the phone industry, even phones with hardware & software locked crypto get broken open. Note, if the device is trusted, then encryption and decryption are not needed (as you would then be able to trust the device to not give out the source code). Also, note that reverse engineering (decompling) raw binaries is a thing (there are tools to do that). You need to decide on you threat model for your code to decide on how much it is worth to lock your code. Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
