Open Strandedpirate opened 10 years ago
Since the user controls the machine, they can lie to us as they wish. You can't trust the machine, you can't trust the code.
We do use NTP for time checks, see: https://github.com/ayende/rhino-licensing/blob/master/Rhino.Licensing/SntpClient.cs
Oren Eini
CEO
Mobile: + 972-52-548-6969
Office: + 972-4-622-7811
Fax: + 972-153-4622-7811
On Thu, Sep 4, 2014 at 12:49 AM, Strandedpirate notifications@github.com wrote:
Looking through the code it shows that Trial licensing relies the local computers time to validate expiration which is easily circumvented with programs like RunAsDate. Validation of date/time should always occur using a time server, although I question if even that is proper because one could write ones own UDP server and redirect Nist traffic to it.
Perhaps there is a better way to validate date/time for trials. Thoughts?
bool result; if (LicenseType == LicenseType.Subscription) result = ValidateSubscription(); else result = DateTime.UtcNow < ExpirationDate; // bad
if (result) // this should be if (LicenseType != LicenseType.Subscription) ValidateUsingNetworkTime(); else throw new LicenseExpiredException("Expiration Date : " + ExpirationDate);
— Reply to this email directly or view it on GitHub https://github.com/ayende/rhino-licensing/issues/10.
Looking through the code it shows that Trial licensing relies on the local computers date/time to validate expiration which is easily circumvented with programs like RunAsDate. Validation of date/time should always occur using a time server, although I question if even that is proper because one could write ones own UDP server and redirect Nist traffic to it.
Perhaps there is a better way to validate date/time for trials. Thoughts?