How to deliver documents securely on a website?
Community Forums/General Help/How to deliver documents securely on a website?
| ||
| Okay, so in the past I've been a big supporter of not bothering with copy protection of any kind, and we've all debated piracy issues over and over again. But I recently starting volunteering for some people am now tasked with helping to turn their paper-based course materials into digital products. I totally and completely understand, and have stated so myself many times, that absolute protection of anything digital is impossible. But you can protect things from most of the people most of the time, using a variety of means. My main question is, is there any way that I could deliver the document in a web browser and have it not be stealable (as much as possible)? I thought maybe to download images of the pre-generated text, kinda of like the `look inside this book` at amazon.com - however, it didn't take long for me to get access to the images used in their page viewer and to save them off to disk. In the Safari browser I just viewed the page activity, identified which files represented the images of the pages, and hey presto. I thought maybe if there was some way to get imagery to display without there actually being any distinct saveable `images`, like downloading a stream of binary data and converting it into pixel data on-demand, maybe then the user could not save off the image, or use any tool to automate the downloading of the entire document. Of course they can still do a screen grab, but hey. Is there any way to do that? Or more to the point, is there any other way to deliver the document, make it readable and yet make it very difficult to pirate? If not, I'm considering making the document be embedded and heavily encrypted into an executable app, and then trying to pull out all the stops like internet authentication and all that. |
| ||
| 1) Use per-user based logins to see the download page (the download page doesn't exist for other users or non-authenticated users), a simple Readers type field in Domino can do this. 2) Use https:// protocol 3) Encrypt the .rar attachment with a password 4) Make secret download links, so that no bots like google can find and index them (don't publish the links anywhere, except in a mail to the user, and make the link change after some time (maybe 24 hours)) 5) Use Domino web server, and encrypt the database which represents the web site/web page, then nobody can use the files even if they hack into your server 6) Use Debian server with AppArmor and SELinux protection and block all ports in the firewall which you don't need |
| ||
| I thought maybe if there was some way to get imagery to display without there actually being any distinct saveable `images`, like downloading a stream of binary data and converting it into pixel data on-demand, maybe then the user could not save off the image, or use any tool to automate the downloading of the entire document. Of course they can still do a screen grab, but hey. Is there any way to do that? Or more to the point, is there any other way to deliver the document, make it readable and yet make it very difficult to pirate? I'm not sure how much you'd gain with that: since you're depending on the client side to decode the message, any potential cracker already has access to the decoder software as well, especially if you depend on common frameworks like vbscript or javascript to do the decoding for you. There's also standard fileformats that support DRM, like PDF: Those can be restricted to be read-only (not printable), disable copy/paste, restrict a document to a certain timeframe, only allow reading on certain computers, etc. But as long as the content is viewable on the client computer, there will always be a way to capture it, even if it is a screengrab at a time. And remember, just because you're paranoid doesn't mean they're not out to get you. ;-) |
| ||
| The PDF format is pretty much the de-facto standard for protecting documents, though there may be better options available. |
| ||
| Interesting thoughts, thanks. One important part isn't just that users must get restricted access, but also that the document can't be shared with other people once it is obtained. I am guessing that means it has to be tied to the hardware of the computer it is viewed on somehow. Apple's DRM `FairPlay` system seems pretty good at that, although it's been exploited in various ways already. |
| ||
| If you make a copy protection too annoying, it's cracked and pirated more than some conventional copy protection, because even the legal users don't want to use DRM but they rather use a pirated version then. With normal copy protections legal users are OK, and don't get a pirated version instead. |
| ||
| Good point. I don't want it to impose inconveniences on the innocent user. So I guess anything delivered in a web browser is pretty much not secure, right? Besides making files only accessible within a user account page, someone could still steal the account I guess, or a legit user could give it to a pirate for copying, etc. |
| ||
| What you're kina getting at is essentially: "Is there a way to download stuff to read but not to download it?" You see the problem? :) Suggestions as above, though, such as sending links or the passwords for archives/folder access via private emails are good. Ensure perhaps that some form of verified 'registration' is requireed before previews are obtainable. Though this is somewhat inconvenient too (Personally, I hate it!) it's really the best bet to know someone actually wants to view the product. |
| ||
| Yah. Well I thought maybe there was some way to show it in the browser without it being grabbable/copyable (other than screengrab or saving off the files), but I guess not. Things are too open and html based websites were never designed to be `closed`. |
| ||
| Not sure if it#'s much help, but, for example, netfirms.com default all images on their webpages are 'embedded', this at least prevents the context menu (of course the old PrintScreen still works. It also limitsd downloads to a eally tiny size if I recall correctly. Though I believe there are even ways for this to be workedaround due to the nature of browsers downloading content. Embedding such as with videos (a la YouTube) etc. seems to work quite well for the most part I think. |
| ||
| You could create your own executable browser plugin to decrypt and embed information, but the hard part there is to make things compatible with multiple browsers and platforms. |
| ||
| I was thinking about using the Unity3D web player, since it's already got platform support for Windows and Mac... but my concern is I'm not sure whether it would actually run an executable or whether it downloads the sourcecode and interprets/jit-compiles it.... concerned that someone could easily get into the sourcecode and learn the encryption algorithm too easily. If that were not the case it could be a viable option because then I could stream some encrypted data files containing pixel data and show only enough for 1 page at a time. |
| ||
| Or, if a program in a web player is an option, perhaps use Flash to display the texts. |
   |