Encrypting CFM Files with CFencode

After reading Ben Nadels blog post about a new CF builder Extension for encrypting and decrypting ColdFusion files I thought I would do a companion blog post about the pros/cons of doing so. 

First off I should really say we are encoding them, not encrypting them.  Basically the .cfm or .cfc files become binary instead of ascii text files.   This ends up causing a number of issues which I will get into later.

Long ago Allaire (creators of ColdFusion) created an executable utility to encode CF files. 

You know you have come across such a file if it starts with: "Allaire Cold Fusion Template
Header Size:"  Yes even with CF 8 the encode utility still mentions Allaire.  I haven't tried on CF9 but I have to imagine it still will.  After that will be a seriese of characters like "@¼¤
ÇKŸ}¿Iùz̪" that may go on for a while depending on the size of the file.

So why would someone use this utility?

At first thought you may think this is perfect to protect your intellectual property.  This just isn't the case.  It is VERY easy to decrypt these files back to original source code, as evidenced by Ben's extension.  The decrypt utility isn't by Adobe.  Some other person made it 4 or 5 years ago.  There are probably several of them actually.  A little googling for it should set you down the right path.

It is, however, a barrier to editing files.  If you mostly want to keep people away from modifying core files, and are ok that if they really want to they can, then you can use the utility to protect them.  Why?  As an example lets say you have an app that you need to upgrade regularly on various client installations.  Clients often modify files all over the place.  But if they can't easily, they then look to your config files instead (where they are supposed to add their custom code).  This way you can make your upgrades much easier on both of you.  This also means you have to have created a pretty flexible and extensible program so that your clients can still do what they need.

So why would you NOT use this utility?

It is a barrier.  While that can be good for you, it also means that clients can't see your code to help you fix bugs, or make enhancements, or simply better understand their product. 

It also makes life difficult when using some FTP clients.  You see as a binary file programs like Dreamweaver simply break it when uploading to a server.  They send it as ASCII and what you end up with is the content of the gibberish file shown on the page instead of rendering.  Dreamweaver seems to be the big culpret here, but other ftp clients can cause this as well.  You know that Dreamweaver feature that uploads 'related' files?  Yup, it can upload encrypted files you didn't mean to upload causing all kinds of issues. 

Bottom line: There are good reasons why most people don't use the utility.  It doesn't prevent people from seeing your code.  It can cause issues with some ftp clients.  Lots of companies require sourcecode these days as well.  However if you need to have general protection against clients or end users changing a core file that you know needs to be upgraded later it can be a means to force that protection.