Plugin Security

Discussion in 'Spigot Plugin Development' started by forseth11, Jul 3, 2016.

?

Should this be implemented for Premium plugins?

Poll closed Aug 2, 2016.
  1. Yes

    38.1%
  2. No

    61.9%
  1. You know that plugins either need spigot or craftbukkit what if the creators of spigot have a list of premium plugins what if the spigot jar searched over the jars and if it finds the name of a plugin that is premium it will require you to login to your spigot account via the console like /login <username> <password>.

    If they fail they can't start the server or the plugin get's disabled.
     
  2. electronicboy

    IRC Staff

    Spigot is open source, Stripping out a protection system like that would be trivial.
     
  3. @Trending_Gamer
    Once again, this would be extremely easy to bypass. In the end it's not worth it and would just be a waste of time.
    The people that illegally download plugins usually can't afford it or just can't be bothered so they're not going to spend their money even if the plugins don't get leaked.
     
  4. Fair enough you may need to focus on the host then to keep the clients in check.
     
  5. Just to put this out there they don't have good whois protection so you are able to contact the owner.

    HTML:
    https://who.is/whois/blackspigotmc.xyz
     
  6. electronicboy

    IRC Staff

    It's not Spigots job to enforce the copyright of others. If you wanna take out sites like that, get together a bunch of plugin owners and file a claim or something.

    What everybody forgets is that Spigot is running of its supporters and donations, and owners retain all legal rights to their plugins. Legal action isn't something Spigot has the right to do for something they don't own,
     
  7. He uses godaddy.
     
  8. Who the hell is 'he'? The owner of some site which contains publicly leaked spigot resources? Take that one site down and more can be made which you won't be able to take down due to them being smart about the law.

    A ton of sites exist where content uploaded on the site is against some kinda eula or tos(Cough, cough private server forums). You can't shutdown the site though. You can contact the owner to remove a thread maybe.
     
  9. When I was on MCM, I sold over 90 copies of a plugin called Staff+. The whole time I had used an extremely simple license key system that literally just checked with a "secret" web server (more like just an encrypted URL with an obscure domain name). Despite how easy the system was to crack, it was never leaked even after users on leakforums begged for a leaked version. I of course made the license key code extremely confusing and had multiple hidden points where the plugin would disable if an unknown key was detected. Despite me making the code hard to remove, all you had to do to "crack" the plugin was just leak a verified plugin folder with its jar.

    Even though it was extremely easy to crack, nobody cracked it and it was never leaked even after selling over 90 copies (the plugin costed $5, so any leakers could buy it easily). I only sold this plugin on MCM so all deals were personal over Skype, but I never really declined selling the plugin to anybody.

    I think that the idea of users removing anti-leak code is not completely likely, considering how stupid a lot of server owners are. Basically, it's just a very short brick wall that a lot of people have no clue how to get over. Even after a person gets a ladder for this brick wall, not everybody will see this ladder and continue with not climbing over it. The people that even know how to get over this brick wall tend to have at least some respect to other developers, considering that they are developers as well. I've had quite a few developers ask me about this system with a lot of interest in it, I pretty much tell them the same thing I am telling you.


    If you are worried about leaking, implement your own system and sell it on a site like MCM (since md_5 does not like license key systems on here). If you have no clue how to implement your own license key system, then you probably shouldn't be selling plugins. Implementing your own system in the end is actually better than having one large distributed system, because systems will vary throughout plugins.
     
    #29 Shortninja, Jul 4, 2016
    Last edited: Jul 4, 2016