Here is a great question:
Does anyone encrypt their templates anymore? Someone once told me this was a good practice to do on production servers.
First off - I don't think this is a good idea for production servers per se. The idea behind encrypting templates was to protect your intellectual property. So for example - one could write a custom tag, encrypt it, and share it with the world. Of course, the Open Source Zealots would be down your throat (grin), but it was an option. Unfortunately, the encryption used to encrypt templates wasn't very strong. It was broken years ago. It would stop honest people, but then again, honest people respect copyrights anyway. CFMX7 allows for sourceless deployment - so that is an option.
To be honest - I don't worry about it. All of my code is free, period, I just guilt folks into buying crap from my wish list. In theory someone could steal my code and put their name on it - but I'd be willing to bet it would be noticed. At the company level, Mindseye uses a contract to control our intellectual property. Also, many of our ColdFusion-based clients actually like to be able to modify the code. So my gut answer is to tell you to either use the law - or don't worry about it.
I'd be very curious to see if any of my readers still worry about encrypting templates.
Archived Comments
I have to encrypt for some applications. Mostly to keep those who shouldn't touch anything from touching things. It will not keep anyone out who really wants to see the code, which is well understood. If I wasn't doing product work, and instead just strait development for clients than I wouldn't bother with the encryption. It is really only valuable for those making resellable applications with CF where they need to have at least <b>some</b> protection over the license or code.
What I hate and really surprises me is that dreamweaver will break the encryption even if they don't change the files and simply open the files. I think DW doesn't realize they are encrypted and thus shouldn't be ftp'd up as a text file.
I would love to know more about the sourceless deployment though. Is that enterprise only? This is something I meant to look into a while ago, and have just been to busy to touch.
I think it pays to write completely unmaintainable code. Sure they can see it, but can they ever figure it out??? Here are some rules to follow:
http://thc.org/root/phun/un...
(and yes I am kidding, but I have been looking for an excuse to post that old classic!)
In all seriousness, I think in most cases Ray's philospohy is usually enough. For when it isn't, there is sourceless deployment, but that requires Enterprise version on both ends which is not always an option either.
From what I understand BlueDragon offers some type of template encryption, but I have no specific knowledge of how that works, and again you would have to make sure the recipients were running BD too.
I encrypt the hell out of everything. Then i encrypt it again just to make sure. I'm not even sure I want to share this comment right now. Just in case someone thinks they can copy the rest of this post as their own... ¤”>òå.Û{D¡xéÿbÍåÿšb…%Jñ}Â<S.s‚.,¬™«¯Zî.¬Ð.©ð®òØ`ú.Ÿ¤®ã.°-½‘.å.lÓݲ-ð" .®ï.6×z|#Ùý™98ºÕ[’ jœœ—÷ÝÄÆ@qÚ›.'ëf¸Ì.7¼aò?sÁ/.·ô øæîmg!€MË• {÷...ƒ
)F+..É#fƒ^â耲‹'^^'wÔqÓ(ËÐÎ]·.#´YS¾˜%.K¿&V.T~NŠxjkù.ˆV£.?-hE2
ä.?+L«ŒZ)..ÃðQŒGÁL®ë.Å›.Š.3òÊü„μÅûŸ
I've said all I'm comfortable saying at this time.
©Emmet McGovern 2005
I think one big reason why encyrption didn't take off was because it was easily broken in pre-MX 7 versions. MX 7 introduced the ability to truly encrypt your templates (and even deploy them as EAR/WAR files), but I think a fatal business decision was made during the Blackstone development cycle to not back-port the code to handle MX 6. Many people have upgraded to MX 7, but many haven't. And to only be able to encrypt your IP for one CF version when you ideally would want to support MX 6.1 as well is a waste. I'm not suggesting it would have been trivial to back-port the code. But this shortcoming, to me, hamstrung encryption and EAR/WAR deployment. Maybe in a couple of years when most people are running MX 7 across the board this feature set will gain new traction. Until then, it's just a "nice to have."
"It would stop honest people..."
...and stupid, lazy people. Never overestimate the stupid, lazy people.