Fog Creek Software
Discussion Board

Welcome! and rules

Joel on Software

User ID code

I know that obfuscation can be done to .NET code, but as we start development in .NET, we wonder if the IL code can be protected enough to prevent reverse engineering user id verification.

What else, besides obfuscation, have you done to secure such things, if at all?

Friday, March 28, 2003

You could write it in unmanaged code (say, C++) and call it using P/Invoke or IJW. But I personally find x86 pretty easy to read, and a determined hacker isn't going to be stopped.

Brad (
Friday, March 28, 2003

Can you describe your authorization algorithm and authorization needs in more detail?  Perhaps we can come up with a better scheme.

A well designed authorization algorithm is one where you could plaster the source code on your web page and still no one would be able to break it. 

Do not rely on obfuscators! The number of attackers who must do the hard work to write a deobfuscator is _one_, provided that they then distribute their deobfuscator widely.  "Secrets" stored in shipped object code are _not secrets_.


Eric Lippert
Wednesday, April 2, 2003

*  Recent Topics

*  Fog Creek Home