So Sublime is calling home to license.sublimehq.com 10 seconds upon every start.

Full request URI:

http://license.sublimehq.com/check/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?n=xxxxxx&b=xxxx&m=xxxxxxxxxxxxxxxxxxxxxx]

The call home has been firing since at least build 3132.

I’m pretty angry about this. Is this an expected request that Sublime is making, or is there something wrong with my installation?

The request:

Hypertext Transfer Protocol
GET /check/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?n=xxxxxx&b=xxxx&m=xxxxxxxxxxxxxxxxxxxxxx HTTP/1.0\r\n
    [Expert Info (Chat/Sequence): GET /check/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?n=xxxxxx&b=xxxx&m=xxxxxxxxxxxxxxxxxxxxxx HTTP/1.0\r\n]
    Request Method: GET
    Request URI: /check/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?n=xxxxxx&b=xxxx&m=xxxxxxxxxxxxxxxxxxxxxx
        Request URI Path: /check/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Request URI Query: n=xxxxxx&b=xxxx&m=xxxxxxxxxxxxxxxxxxxxxx
            Request URI Query Parameter: n=xxxxxx
            Request URI Query Parameter: b=xxxx
            Request URI Query Parameter: m=xxxxxxxxxxxxxxxxxxxxxx
    Request Version: HTTP/1.0
Host: license.sublimehq.com\r\n
User-Agent: sublime-license-check/3.0\r\n
\r\n
[Full request URI: http://license.sublimehq.com/check/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?n=xxxxxx&b=xxxx&m=xxxxxxxxxxxxxxxxxxxxxx]
[HTTP request 1/1]

Yes, Sublime Text does a check to see if the currently-installed license has been revoked. This allows things like refunds, and preventing the spread of compromised license keys. Unfortunately we don’t currently have a reliable way to use SSL for TLS in C++ on Linux, so it will use HTTP on Linux, and HTTPS on Mac/Windows.

This seems like an odd thing to have in Sublime. To the user, registration offers three benefits:

1. No occasional nagging.
2. Access to dev builds.
3. The warm feeling of knowing you’re not abusing Sublime’s remarkably gracious evaluation trial.

If a user is pirating Sublime, they presumably don’t care about (3). Revoking (2) doesn’t require phoning home; new builds presumably include a list of pirated/refunded license keys. So by pirating Sublime, a user would eliminate the occasional nag message in exchange for being unable to upgrade to newer versions.

I don’t doubt that a number of unscrupulous users will do that anyway, if for no other reason than they can. What I do doubt is that deactivating a pirated copy would persuade its user to purchase a license instead of simply using an up-to-date unregistered version.

On the other hand, a lot of users have very strong opinions about software that phones home unnecessarily. The idea that an existing piece of software could stop working based on the unilateral decision of a third part is very concerning to many developers. This is true even if that third party is generally trusted and well-regarded – it adds an extra point of failure that provides no value to legitimate users.

Right now, this measure can (I presume) be easily circumvented by blocking the HTTP request on the client side. This means that an unscrupulous party distributing pirated license keys could just as easily distribute directions or a script to circumvent it. The only way around this is to require online activation, which some users would find unusable in practice and many, many more would find objectionable in principle.

I can only provide my own perspective here, along with some reasonable guesses as to how others might react. I don’t know the underlying business case, and it’s possible that you have information indicating that this would be beneficial in some way that is not apparent to me. But based on my understanding of the situation, I see substantial risk for uncertain benefit.

That means you leave open all previous builds to compromised keys, and allow a user to use any released version (or older) if they get a refund.

I guess it all depends on your definition of unnecessary. Checking to see if a license is legitimate seems like a reasonable thing to do.

We definitely favor our users, and paid users with a license key won’t lose the ability to run the software.

Fighting piracy comes down to making it a pain to pirate, and easier to be licensed. The really nasty systems get in the way of legitimate uses, and heavily restrict what you can do. I think the more reasonable systems make a point of not getting in the way of legitimate uses.

Would it be easy to sign the license file once server-side, and then the app could simply validate locally that the signature is valid? The same way Powershell scripts cannot run if they aren’t signed by a trusted publisher.

This is simple curiosity; I really don’t care about apps calling home.

EDIT: oh but that doesn’t handle revocation. I did not think this through.

I guess it all depends on your definition of unnecessary. Checking to see if a license is legitimate seems like a reasonable thing to do.

Well, that’s the crux of the issue. It’s of no value to legitimate users.

Again, the upside seems to be that unscrupulous unregistered users who are already committed to never updating Sublime would have to perform a trivial workaround in order to continue avoiding a nag dialog. The downside is offending large numbers of actual and potential users. As to whether that offense is justified, I venture no opinion; the fact is, a lot of users are going to have very strong negative opinions. It is a certainty that this measure will keep some users from buying a license, and it’s not obvious that it will cause any pirates to buy one instead.

I have no personal stake in this; on one hand, I’m a registered user, and on the other I’ve already blocked connections to the licensing server. And as I said before, I have no insight into whatever business data has impelled this move. It may be that these concerns are and ought to be overridden by clear evidence that this new measure will help rather than hinder Sublime’s continued success. Either way, I’ve said my piece, you don’t owe me any further explanation, and I don’t mean to start an argument.

I would say it’s of no negative value to legitimate users.

It is normal, expected, and the poster got ‘angry’ for what is basically a non-issue.

May be, change it to check once a week, so paranoid people can worry about some other company.

I thought it was every 10 seconds then I went to check, but now I see it is only once 10 seconds after Sublime Text to start.

@gerry, are you angry about the check being in HTTP instead of HTTPS?

If I understand correctly, anyone intercepting you connection can steal your Sublime Text license. I wonder what kind of licence theft trouble this has already done with Linux users.

Now knowing this, I would not put (or perhaps think twice before put) my licence on a Linux machine. Hopefully I never had done it. Ironically while on Linux machines, I already had been using the latest stable version available for testing without my license.

No, we hash the license signature before transmitting.

Mmm, two questions, then:

• what happens if working in an environment with no internet access?
• what about privacy (i.e., what happens with the collected data, things like that)?

Sublime Text will work exactly the same with or without an internet connection.

Jon Skinner and myself are the only people with access to the server, and the information is only used to see if a license has been revoked between when the build was released the current date/time.

Ok, thanks.

It’s a privacy issue. It only being HTTP just exacerbates the issue.

I think for it to be dismissed by people as a non-issue is complete nonsense.

I’m not particularly upset about this feature, I’m just kind of confused that it exists. My gut says that the Venn diagram between “users who are interested in using Sublime’s development builds but can’t/won’t purchase a license key of their own” and “users who know how to edit a HOSTS file and block a domain” is roughly a circle. This “call home” doesn’t get in the way of legitimate users, which I appreciate, but I’d be impressed if it had any significant impact on the piracy rate of the software.

[quote=“botoggle, post:14, topic:33474”]I’d be impressed if it had any significant impact on the piracy rate of the software.
[/quote]

Well, it is like a lock on your house. A knob lock, or even basic deadbolt isn’t going to stop someone determined to get into your house, but helps “keep honest people honest.” A combination of various mechanisms makes it less trivial to pirate, and pushes users towards being a customer.

I don’t really like this. For one, as gerry rightly states, it is a privacy issue. Whoever is able to look at this data is irrelevant, it matters that someone is. But also, introducing DRM is a statement. It speaks loud and clear, and what is sais is “I don’t trust my paying customers”.

Almost ALL of the software on your machine is making some sort of contact with it’s parent company to check for licenses and updates.

Why not just build some fast read-only set of compromised/revoked license hashes into the .exe itself and check it only on upgrade (once, then remember the key is OK). This is what some software does, it does not require phoning back home, and it is IMHO enough.

Anyway, if you want to do right super-tight, you’d need to enforce DRM (Internet connection) otherwise this license check makes no sense, because one can always block license.sublimehq.com on firewall, or redirect to some bogus local server, and ST will run with revoked key.

Phoning back home to check the license every time app starts is pretty bad, I often open/close it several times a day etc. this makes me worry about my privacy, since you definitely can identify me with hash of my license.

Or putting this in other words, if you don’t trust me (you check my license), why I should trust you? (you don’t misuse this tracking data)

Hmm I guess I don’t really like this particular feature, sorry. I have a valid license. But I don’t lile software which calls home. (the argument that other software does so as well is void!).
I will simply add license.sublimehq.com to my hosts file and disable the communication and see what happens.
Why did you guys add that feature? for years it was unnecessary. Good thing that gerry saw this.

I described above that it allows us to provide refunds and revoke licenses that have been shared. Basically, it is an extra layer that helps slow down the spread of pirated licenses, especially in regards to unlocking development builds when a user does not possess a legitimate license. We are not tracking users in any way – honestly we have enough to do in developing the product that tracking just wouldn’t make sense.