My server provides a service known as “HotLink Protection”. Apparently, it prevents people from accessing my website’s files unless they were directed to the file by my website itself. This would be perfect for what I’d like to do: prevent people from accessing movie files directly from my server (so they can’t share the direct url of the file with friends, etc).
Preliminary tests, performed by myself, indicated that this tool works perfectly. However, I just want to confirm with anyone who has more experience than me, the effectiveness of this tool. Are there any ways around this protection, or is it completely reliable?
It works by looking at the HTTP_REFERRER environement variable, which tells the server the address of a referring clicked link. Since there’s no way (that I’m, aware of) to spoof this externally, it’s about as secure as it’s possible for anything on the internet to be.
I’m no expert on HTTP, but I can’t imagine that spoofing the HTTP_REFERRER would be all that hard to do, but it would require an application other than any of the internet browsers I know of. And that still leaves the question of why anyone would do that just to get at your stuff.
On the one hand, spoofing the HTTP_REFERER [sic] field is in principle an incredibly easy thing to do. On the other hand, if a person is using IE, or some other browser where they don’t have access to its source code, I don’t know an easy way they could spoof it. So 99%+ of all folks on the internet won’t be able to subvert your protection, and 99%+ of the remainder probably won’t give a damn.
What if the downloads cost, say $1 each. What I’m trying to do is protect the files from people who haven’t made the purchase from downloading them, thus they would have a slight incentive to use such programs. Do you guys think this is a problem?
So… you’ve set up some page you can only get to with a password or something, and from there link directly to said files?
That doesn’t sound like a very good idea. Spoofing a referrer agent string is trivially easy (I often download files to my linux box using wget after obtaining the URL from a Windows machine, and sometimes have to do this). Depending on the technical sophistication of your target audience it may work for you, (I don’t think I know of any site where individual files are accessable this way, but if I did, I don’t think it would occur to me to even give that a try) but I’d look in to some other method of properly password protecting the files in question.
Well, I’m trying to figure that out. How else can I protect them?
Even if people were to spoof the urls, they wouldn’t know what the url was until they purchased the movie (or heard from someone else who purchased the movie).
Ah, now that’s quite a different kettle of fish to fry. Or something.
Preventing people from stealing stuff that you put out on the web is a hard problem. If you’re charging people to view your content, then the number of people interested in circumventing your security skyrockets.
You might try using secure http (https) connections in combination with cookies to verify that a particular client should be allowed access to a particular document. While that secures things on the server side better than using the referrer value, there are still ways to circumvent that. This is not even taking into consideration that once someone downloads a given document, there is nothing to prevent that particular document from being forwarded to others.
There are plenty of companies who spend millions of dollars, if not billions, in an attempt to secure digital data. They are mostly successful. That means that they partly fail. You have to gauge how valuable a given dataset is versus how much it would cost to raise the security around it.
That’s one way to do it. The other way is to “hide” the video’s URL by passing the download request through a script. There are several levels of script sofistication; some can be opened with an editor and the real address revealed, some are more resistant to attacks.
A windows program that can spoof Referer tags is the HTTP Interceptor,
Currently, since I’ll be starting small, I’m not too concerned about people stealing the movies (though hopefully it won’t be a huge amount) as it’ll be additional advertising for my site.
I’ll just add this one piece of anecdotal evidence…
Years ago I was running a website and put in an HTTP_REFERRER check to make sure that images did not show up unless they were embedded in or linked to a page on my site.
One of my close friends complained that the images were not showing up for her… I did some logging tests and found out that her browser was not sending anything for the HTTP_REFERRER header at all - either for embedded images or, IIRC, for linked documents. We never did figure out why. She was using internet explorer.
I ended up modifying the check to read ‘if HTTP_REFERRER is from my website or the userID cookie is 22 then show the picture.’ (Where that was her userID.)
(Where that was her userID.)