1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

    Any content, information, or advice found on social media platforms and the wider Internet, including forums such as AP, should NOT be acted upon unless checked against a reliable, authoritative source, and re-checked, particularly where personal health is at stake. Seek professional advice/confirmation before acting on such at all times.

Protecting Against Unwanted Image Linking

Discussion in 'Web Sites of Interest' started by Peter Galbavy, Feb 25, 2003.

  1. Peter Galbavy

    Peter Galbavy Well-Known Member

  2. gazraa

    gazraa Well-Known Member

    this looks pretty good to me and i can see uses for it an ongoing project i'm working on.
    Not being a perl person, and not really a techy developer, could you explain at a slightly higher level what the process of events is when the page is generated and what you actually need on the server.
    i'm just trying to get my head around where the images are stored, and how they are referenced and displayed in the html.
    I work mainly in vbscript for ASP for the sites I build, would this be something easily done in vbscript too?

    hope that made sense :)
  3. Peter Galbavy

    Peter Galbavy Well-Known Member

    Hmm. Pretend it's BASIC :)

    Seriously, the process is somewhat straight forward, but I used perl to express it, as it is the language I am using on the site(s) I develop.

    OK; The principles of HMACs is reasonably well covered on the 'net, so Isuggest hitting Google. I do not know what (if any) APIs and tools are available to you in VBScript.

    The way it works is to generate a token that is compared to another token that is generated when you request the image, and if the two are the same you get an 'OK'. This is the same way that UNIX systems to uni-directional password checking - it is never necessary to 'decrypt' the encrypted data. The secret key is the one component that is not known to the requestor, and is the thing that stops someone generating their own keys.

    As most of my crypto experience is with perl, it is difficult for me to recommend references in other languages. Most of the principles I used came from two O'Reilly books; "Writing Apache Modules in Perl and C" and "Web Security and Commerce, 2nd Edition".

    Give translation to VBScript a go, and feel free to ask questions - either here or in e-mail at any time.

    Peter Galbavy
  4. gazraa

    gazraa Well-Known Member

    ok, i kinda understand the comparing the tokens bit, but the bit that I haven't got my head round is this bit (taken from your demo of it)
    when you've got the image src="http://photasmagoria.com/image/334046db3f41?size=medium&token=51950ef0403be580" how does the html on the client side know that it's an image?

    edit: ok, just realised how it might work. the html just makes requests to the server.. right? so when it requests the image, the perl does it's thing and points it to the right picture.... am i getting warm?

    Does perl have modules that make that possible whereas you'd maybe have to use a dll on a windows box to do the same thing?
    The reason for asking is that I am in the process of building a web site for the camera club i belong to and the main part of the site is the gallery section. One of the requirements is to stop members just posting up any old image that could be 'damaging' to the clubs reputation, so something like this could be of use to solve that.... maybe. I'm also running on win2k servers and can't add anything like a dll or change the perl set up that's currently on them.
    I'll do a bit more digging on google when I get the chance about the "how to's", it's just getting my head round the "how the hell's" at the moment.
  5. Peter Galbavy

    Peter Galbavy Well-Known Member

    Aha. Sorry - You are completely right, and we all know that assumption is the mother of all 'foulup'. I had completely ignored the fact that readers may not be merrily delivering images from a cgi script every day. I will try to update...

    Basically, instead of sending a 'Content-type: text/html' header, I send a 'Content-type: image/jpeg' and then delivery the binary data as per the HTTP spec. TBH I let Apache / Apache::ASP do that using helper functions, but the priciple should be the same:

    send HTTP Headers, including Content-Type and Content-Length
    open image file
    read from file, write to client
    close file
    finish request

    I expect that IIS will have a capability of 'send binary file to client' somewhere, or maybe an 'internal redirect' will work.

    What will NOT work is simply redirecting the browser to an unprotected file URL - that defeats the whole purpose ;-)

    Peter Galbavy
  6. gazraa

    gazraa Well-Known Member

    ah right, that makes things a lot clearer. I never thought of using the content type.
    I'll have to have a play around with what is possible in vbScript, but I shouldn't think it would be a major task. I do have Perl 5, I think, available in the win2k boxes too, so there's always that route too, although learning enough perl may take a bit too long.

    Cheers for the explanations. Any other articles, examples along similar issues would be great to see on your site :)
  7. 0

    0 Guest

    Nice, and -w and strict. You're clearly a man to be reckoned with! Perl's a great scripting language, isn't it?

    The only improvement I'd make to the page would be to add the missing 'p' to "simlicity". :)

  8. Peter Galbavy

    Peter Galbavy Well-Known Member

  9. gazraa

    gazraa Well-Known Member

    Just had a thought where this method of 'protecting' your images may be detrimental to your sites traffic. I'm referring to such things as the image search on search engines such as google.

    Would the method that you are using prevent google from listing your images in it's results?

    Now, I know that the image searches are used a lot by people wanting to 'use' the images for one reason or another therefore this method would do a good job in protecting your images from being found and used, but there may be cases where people are doing searches to see images of a certain subject and that maybe where this method prevents your site from getting those all important visitors.

    Any thoughts on that?
  10. Peter Galbavy

    Peter Galbavy Well-Known Member

    Yep. I actually don't really want automated harvesters hoovering my site and then using *my* bandwidth to make money for themselves. Google, AFAICT, does not do this in the way you describe. They hoover a site and then build their own thumbnails etc. If you look at the image 'in context' then they use frames to contain your own pages et al.

    I haven't looked too hard, but regardless I've achieved my own objectives in full awareness of these kinds of issue. :)

    Peter Galbavy
  11. gazraa

    gazraa Well-Known Member

    i didn't really look into it that much either, i just thought it might be something to give some consideration to. I'm still going to try and implement a similar thing in ASP as the images that are going to be used have to be authorised before they can be displayed on the site, so the authorising routine would sit nicely in the script which serves the image.

    Just out of interest, another question, do you keep the images in a protected directory that can't be browsed to? Or do you just have an obscure directory naming convention so it's not easily found?
  12. Peter Galbavy

    Peter Galbavy Well-Known Member

    For this particular application the image files are outside the normal web document directory and are served by the script open()ing the file (based on the md5-hash filenames) and sending it to the client - so none of the normal Apache style file restrictions matter.

    As a side issue, the updated OpenBSD default Apache chroot()s into /var/www - which I do use, but it might start biting people if they decide to use this excellent OS :)

    Peter Galbavy

Share This Page