Thanks Sylvain for all that info. It gives me more to think about.



>Maybe I'm going way too far with this, but I see this problem: for this to work, the file would need to be world-writable, unless you can put in some form of authentication. So what's to prevent me from trashing your file, or better yet, change my 1 back to a 0 so I can install again?
>
>How about a nice DoS attack: overwrite your file with a "small one", like with a 100Gb one? (not that I actually need to have a file that big: I can write a little program in Perl that will create such a file on-the-fly)
>
>And if you thought about just not telling me the URL to this file, I can tell you that sniffers on the wire can do wonders! :)
>
>I don't think you'll be able to get yourself out of a web application! :)
>
>Oh, and you might want to consider this as well: if your web application simply returns something like 0 (ok, go ahead) or 1 (nope, cancel install), and the URL is, say, http://www.denischasse.org/antipiracy/authprg?serialnumbergoeshere, it's easy to add an entry into the Hosts file to point www.denischasse.org to my Linux box and create a little Perl script that returns 0 no matter what the serial number is (or to an NT webserver with a equally simple ASP page). So basically, it would be trivial to fool such a technique. Not that anyone can do it: most people barely know where the power switch is!
>
>To avoid even this one, you'd have to use take something relatively unique (like the current datetime), do some calculation on it on both the server and the client, and then the server returns this new string, which the client compares with its own version. If the two matches, go ahead, otherwise stop.
>
>Then there's always the possibility of breaking your encryption by looking at the code with Refox...
>
>So how far are you willing to go? :)
>
>>Ok so perhaps a variation could be done on it.