Which techniques are used to licensing server?

Question

I need to create licensing server for my application. Application should ping licensing server and if license expired stop working. How should it be done securely? I haven't found any articles about this. More exactly, what confuses me is how to prevent attacker to do the following

1. Look where I make requests (using fiddler e.g.)

2. Create his own server

3. Point his PC to that server using etc/host file.

Any best practices about this?

Answer 1

You can do this by enabling HTTPS on your server. Your application will need to verify the HTTPS certificate to ensure the remote host is not a fake licensing server.

This article describes the attack you mention, and how is it possible to avoid it using HTTPS.

Here's a useful sample :

Defeating Active Attackers

Verifying the server’s authenticity is key to defeating active attackers. Fortunately, TLS has this covered as well. As you recall, HTTPS is really just HTTP running over TLS. When HTTPS is implemented correctly, here is what happens to active attackers.

Because the legitimate server’s Certificate Authority (CA) verifies ownership of the domain (yourwebsite.com), an active attacker cannot fake the certificate. Encryption prevents the attacker from reading or modifying any intercepted data. In short, the entire CIA triad is satisfied and both passive and active attackers are defeated.

In your case, the roles are slightly different : the user is your application, while the potential attacker is the application user who doesn't want to pay for a license. ;)