Author Topic: Pic Security  (Read 39285 times)

0 Members and 1 Guest are viewing this topic.

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Pic Security
« Reply #15 on: February 18, 2003, 05:30:48 PM »
Quote from: Nossie
especially when it can be evaded by using print screen... of some other form of screen capture that doesnt use keypresses (or product keys)

If the visitor is using IE 5.x or higher, there is a solution to the dreaded screen print.  Open the details.html template and add this to the top:
Code: [Select]
{header}

<script language="JavaScript" type="text/JavaScript">
  window.setInterval("window.clipboardData.setData('Text','[The clipboard is temporarily disabled. To restore normal function, simply close the web browser currently viewing a full size image at {site_name}]')",20);
</script>

This code sets the clipboard data to the text message "clipboard is temporarily disabled" every 20 milliseconds.  This will also block the capture function of any software that uses the system clipboard which is all of them in my experience.

I've tested this under MS Windows, not sure about Macintosh.  I'd estimate 85% of my visitors are using MS Windows and IE 5.x or higher so this is a fairly effective javascript.

According to http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboarddata.asp the following code is supposed to clear the clipboard of any image data.  This allows the user to retain the ability to copy and paste text, URL, file and HTML data.
Code: [Select]
window.setInterval('window.clipboardData.clearData("Image")',20);
At one time a couple days ago, I had this working.  The user couldn't screen capture to the clipboard but could still cut and paste text.  Since then I haven't gotten it to work.  the clearData('Image') method just clears all data.  Not sure what I'm doing wrong and it's probably something to do with my other javascripts.  In any case I present it here for everyone's benefit.

Just thought I'd share what I've learned recently.

Offline Nossie

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
    • GothicWinter.Com
Pic Security
« Reply #16 on: February 18, 2003, 05:42:08 PM »
one thing though Chris...

I like that idea, but I know alot of programs that can prevent javascript from operating.

So that would be MY way around that  :)
MOTD: LINUX IS LIKE A WIGWAM - NO WINDOWS, NO GATES, APACHE INSIDE !!!

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Pic Security
« Reply #17 on: February 19, 2003, 12:59:12 AM »
Hey I'm not saying we can totally and completely prevent images from getting snagged.  That's an impossible task given the nature of the http(s) protocol.  I should know since I make my living as a computer programmer and software architect.  In fact all you'd have to do is use a browser other than IE which is what I stated; one like Mozilla, Netscape or Opera.  I can also think of a dozen other techniques and software that would accomplish the same thing.  

But given that 85-90% of my visitors are using a browser in which this will work and that maybe 0.5% might be technically minded, I think it's worth implementing for my site.  I also display the details page in a browser with no chrome (toolbars, menus, access to bookmarklets, etc) so you'd have to use a 3rd party tool to see the source code to figure out it was a javascript that was doing this.

I'm just sharing little things people can do to discourage image theft.  It's been said, and rightfully so, that locks only keep out honest people.  A thief will always steal what they want.  :wink:

Offline Nossie

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
    • GothicWinter.Com
Pic Security
« Reply #18 on: February 19, 2003, 01:05:23 AM »
Quote
Hey I'm not saying we can totally and completely prevent images from getting snagged.


why do I get a feeling of dejavu (even if I cant spell it lol)?

I never meant that comment in bad way... sorry...

nother nice way to stop the not so techie minded from theivin images :)
MOTD: LINUX IS LIKE A WIGWAM - NO WINDOWS, NO GATES, APACHE INSIDE !!!

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Pic Security
« Reply #19 on: February 19, 2003, 01:49:18 AM »
Quote from: Nossie
I never meant that comment in bad way... sorry...

No problem.   :lol:  

Here's another:

Use javascript to decrypt a PHP encrypted image link and document.write it to the page.  Use the <noscript> tag to point to a web site logo.  If the user disables javascript, they only get to see the logo and not the image they wanted.  Effective for me since I use a chromeless window for the images.

This stops the user from disabling javascript.  

Perhaps more importantly, it also stops web site copiers and offline browsers like Wget, WinHTTrack, Teleport Pro, etc.   :twisted:

Offline Nossie

  • Jr. Member
  • **
  • Posts: 67
    • View Profile
    • GothicWinter.Com
Pic Security
« Reply #20 on: February 19, 2003, 06:23:52 AM »
a bit similar to hotlink protection?

last time I enabled that on the server... half the images turned into "you've theived this from...." hehe

I have to admit the only thing that bothers me personaly is bandwidth theft so this doesnt apply to me too much

nice thinking going on there tho :)

(\).
MOTD: LINUX IS LIKE A WIGWAM - NO WINDOWS, NO GATES, APACHE INSIDE !!!

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Won't stop hotlinks
« Reply #21 on: February 19, 2003, 06:49:52 PM »
For the uninitiated:  Hotlink protection is when you implement measures to ensure the link was followed from your site.

The technique I've described only ensures the user has javascript enabled and that web site copiers can't grab the images.  It's not actually a hotlink issue since the pages and image links are being loaded from the 4images site itself either from the user's javascript enabled browser or from web site copying software.  

For those reading who don't know about hotlinks, a hotlink is when a web page on someone else's web site links to images on your web site.  This steals your bandwidth by loading your images in their pages by reading them off your server.  

What I documented wouldn't stop that from happening.  Another post already exists in these forums that describes a method for preventing hotlinks by using the .htaccess file for Apache web servers.  Another approach is to use PHP to set and check a session variable before allowing the user to view the file.  That method is covered pretty well by this short article here:
http://www.pinkgoblin.com/bandwidthprotection.php

The main reason I'm taking these steps is to ensure images are only downloaded by registered users and that people can't grab thousands of my photos with a single click of the mouse.

Offline SLL

  • Hero Member
  • *****
  • Posts: 585
    • View Profile
Pic Security
« Reply #22 on: February 22, 2003, 04:55:07 PM »
Quote from: Nossie
I like that idea, but I know alot of programs that can prevent javascript from operating.

as a very rude measure it's possible to include small javascript, checking if java scripting is enabled, which will redirect you to some empty page with message like "you have to enable scripting to access this gallery". as far as i know, there's no way to disable scripting when page is already loaded.

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Pic Security
« Reply #23 on: February 22, 2003, 05:03:00 PM »
Oh my curiosity is piqued now!

How can a javascript check if javascript has been disabled if javascript has been disabled?  My understanding is that if javascript is disabled in the browser, no javascript script will run.

Is this something that's done using PHP?  I know you can redirect the user from PHP with just:
Code: [Select]
Header( "Location: http://www.Domain.com/" );
I am sincerely curious.  Can you point me to the script?  If it can be done, I'd like to see how.

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Pic Security
« Reply #24 on: February 22, 2003, 05:16:09 PM »
Follow Up:

I only know that you can use the <noscript> tag which is used if javascript is disabled.  Here's an example from the templates media/jpg.html file:
Code: [Select]
<table border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td align="center" width="100%">

<script language="JavaScript" type="text/JavaScript">
            document.write('<img src=\"{media_src}\">');
</script>

<noscript>
            <img src="/resources/images/logo.gif"/>
</noscript>

</td>
  </tr>
</table>

Offline SLL

  • Hero Member
  • *****
  • Posts: 585
    • View Profile
Pic Security
« Reply #25 on: February 22, 2003, 05:17:59 PM »
not to use this way, of course, just an example  :)
Code: [Select]
<script language="javascript" type="text/javascript">
document.write ('blah-blah');
</script>
<noscript>
enable scripting!
</noscript>

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Pic Security
« Reply #26 on: February 22, 2003, 05:21:52 PM »
Ah, just a minute apart between our posts.

When you said "redirect the user to a page" I thought it was something like:
Code: [Select]
location.href="http://www.domain.com/EnableScripting.html"
Okay, I think we are in sync here.  Thanks.

Offline SLL

  • Hero Member
  • *****
  • Posts: 585
    • View Profile
Pic Security
« Reply #27 on: February 22, 2003, 05:39:53 PM »
as i see, you already had the solution :)

just checked this scripted image output in 4images details.html, it works just fine, so using this way together with other methods mentioned in this thread (disabling cache, etc.) are protection enough, don't you think so?

Offline SLL

  • Hero Member
  • *****
  • Posts: 585
    • View Profile
Pic Security
« Reply #28 on: February 22, 2003, 05:48:10 PM »
it seems that php is also able to determine if scripting is enabled. http://www.php.net/manual/en/function.get-browser.php

see
Quote
<b>javascript:</b> 1<br />
<b>javaapplets:</b> 1<br />
in the example there

Offline Chris

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.487
  • Did u ever stop to think and then forget to start?
    • View Profile
Pic Security
« Reply #29 on: February 22, 2003, 06:19:25 PM »
Quote from: SLL
so using this way together with other methods mentioned in this thread (disabling cache, etc.) are protection enough, don't you think so?

It's always a tradeoff.   :wink:

I also encrypt the {media_src} link in PHP on the server, use javascript on the client to decrypt the link and document.write() it to the table background.  For the <td> itself I use a transparent gif or a logo gif depending on whether or not the user has javascript enabled.  This is really just to stop web site copiers.

I also employ a couple other things I haven't detailed here but yeah, for the most part it's enough protection (for me)

Perhaps someday I'll find the time to put together all the tips and tricks I use for image protection in one comprehensive tutorial.  It would be a long post for sure!