Enforcing Blacklisted Licenses
2020-09-29 John Poulson
It doesn’t happen often, but it is possible that license containers can be lost, stolen or broken, and when it does occur, the ISV is faced with a dilemma: how to reactivate the license quickly to foster good will with the customer while protecting revenue from malicious actors. In these cases, blacklisting is a technique that can help address the dilemma. Blacklisting has been a feature of CodeMeter since the very early days.
This post will discuss the following points about blacklisting:
- What is software license blacklisting?
- Why would you blacklist?
- Who maintains the blacklist?
- How to enforce blacklisted licenses.
What is blacklisting?
In general, a blacklist contains a list of untrustworthy items that should be avoided. In the CodeMeter world, when we talk about blacklisting licenses, we are really talking about blacklisting CodeMeter “containers”. Such a blacklist of CodeMeter containers would include a list of their serial numbers. Any licenses found in blacklisted containers would be removed and/or the containers themselves would be locked.
Why blacklist a CodeMeter container?
Licenses (containers) should appear on a blacklist whenever a customer reports a lost, stolen or broken container. The classic example (probably a Wibu-Systems urban legend) is “my dog ate my dongle”. In such a case the ISV must make a business decision. What to do when a license container is reported lost or stolen? Do you trust the customer explicitly 100% of the time and simply replace the license (container) for free? Or, do you make the end-user pay the full price for another license? One option for those ISVs who use CodeMeter is to provide a free replacement license, but to also add the lost container’s serial number to a blacklist so that the license cannot be used by either the container thief or the unscrupulous end user. If you no longer support lost, stolen or counterfeit licenses, your support costs will not push up the price of your software. And in a way, by employing blacklisting, you are rewarding your honest users.
Who maintains the blacklist?
You maintain the blacklist in your own instance of CodeMeter License Central (CmLC).
Select the “Manage Blacklist” menu option in CmLC.
From the manage blacklist page, you can add, search, and remove CmContainers as you see fit.
More detailed instructions concerning maintaining blacklists can be found in Section 15.3 of the CodeMeter License Central Manual.
Enforcing Blacklisted Items
Licenses may be withdrawn or deactivated in blacklisted containers as described above and the container can be locked (prevented from being used again for any purpose) whenever the container checks or activates to your CmLC.
Alternatives
But what about the container that never connects to the Internet? Does the end-user get to use such a license forever? If you have a popular application, then there is a likelihood that bad actors will try to use “lost” licenses (containers) without making payment.
Fortunately, CodeMeter is equipped to handle these offline situations. Checkpoint licenses are one way of handling it, but there are many more possibilities.
For example, the ticket used to activate the original license can be stored within a file, registry or even into a protected data field inside the CmContainer. Then at set intervals, this ticket is sent to CmLC via the CmLC Gateway API and allows the local license state to be updated. This is similar to the subscription handling that can be performed when a ticket is presented to CmLC. CmLC looks at the actions of the ticket (which licenses need to be activated, which licenses need to be withdrawn, which licenses need to be replaced), then applies these actions. The action to renew would follow the replacement action, where the license state is checked to see if the ‘subscription license’ needs to be activated. This allows that even though the original license is a perpetual license, it must continually call home to renew the license. The license is renewed automatically and transparently… unless the container has become blacklisted. You can control how often the “phone home” command takes place.
Another possibility (with optional aid from Wibu-Systems Professional Services) is when the customer authenticates with their Customer ID; then CmLC Gateway can perform a look up of their order/ticket history, performs the same workflow as above (confirm license state, apply replacement/new license). Again, as long as CmLC Gateway transmits something from the customer like the Customer ID or Ticket, then CmLC can be queried as to which licenses belong and whether the license needs to be deactivated.
Another use case, is that the application, upon detection of Internet access, performs a call home to check the license state. We have an excellent webinar on how to handle lost licenses here.
Summary
In the real-world, licenses can break. In the case of CmDongle containers, this situation is very rare since the MTBF (Mean Time Between Failures) is measured in millions of hours. In the case of CmActLicense containers, files can become corrupted, but since our license files have redundant copies hidden in various places, this also has become rare. But things do get lost and sometimes modern PCs do need to be reformatted to get rid of viruses, etc. When that happens, Wibu-Systems recommends, as a best practice, to go ahead and trust your users and replace licenses… but also blacklist the original container.
Contributor
John Poulson
Sr. Account Manager
A senior manager and well respected security industry expert, John has worked in business development and sales for Wibu-Systems USA since 2001. When not consulting with customers on software licensing and protection solutions, John attends industry trade shows and conferences to stay abreast of the latest developments in the IT world. Prior to Wibu-Systems, John worked for Micro Security Systems, Eagle Data, and Griffin Technologies, all pioneers in software security.
Over the years, John has authored several blog articles on topics of general interest in cryptography as well as monetization of embedded systems in new and innovative ways.