gallery URL and discovery of private galleries..
jmpsmash
Registered Users Posts: 33 Big grins
i have a question concerning the design of the private gallery URL.
if i understand it correctly, the URL contains a global gallery sequence number. anytime any customer create a new gallery, the sequence increments.
the problem i have is that that allows very simple discovery of other people's galleries, regardless of whether those galleries are private or not.
i suggest using a more secure way to name these folders. a secure hash or something like that will prevent easy discovery of users' private galleries.
if i understand it correctly, the URL contains a global gallery sequence number. anytime any customer create a new gallery, the sequence increments.
the problem i have is that that allows very simple discovery of other people's galleries, regardless of whether those galleries are private or not.
i suggest using a more secure way to name these folders. a secure hash or something like that will prevent easy discovery of users' private galleries.
0
Comments
Gallery numbers do appear to be guessable sequence numbers. I just created two galleries and they were assign sequential numbers. Similarly, you can cycle through numbers and see all sorts of galleries.
Private galleries are really just "unlisted" galleries (in the same sense as an unlisted phone number). They are not secure and are discoverable by chance. If you want security, then you need to use some other protection mechanism (probably a password).
Smugmug could randomize and lengthen the numerical space for private galleries and thus make it a lot more difficult to guess or discover. If it becomes a sufficiently large and random numeric space, then it does start to make a difference. It would also help if it was required to match the right domain with the private gallery ID before you could see it. Then, you'd have to have both the gallery number and the user name before you could discover something.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
(and what do you think the odds are that after incrementing gallery numbers from one of mine, just a couple valid gallery numbers away was another gallery shot right here in town? gotta be astronomically small.)
http://wall-art.smugmug.com/
As John Friend suggested, passwording will lock them down. Private makes them unsearchable, and keeps them off your homepage. Are they "guessable?" Sure, I guess....
Portfolio • Workshops • Facebook • Twitter
Surely you could implement some kind of hashed or GUID gallery number?
... probably posting them on the internet is not such a good idea. I know that sounds kind of like I'm being a jerk, but honestly, I'm a huge privacy advocate. I use passwords and the private gallery function here with a grain of salt-- I would never, ever post a photo I didn't want anyone to see. Email, the internet, phone calls-- all that-- they're simply not private.
Anyway, do you have a specific example of people finding your photos using the sequential gallery number method? And were they able to do that with a password protected gallery? I guess what I'm asking (and being sincere here as a privacy advocate) is what is problem with how it's done now? I'm really curious.
Portland, Oregon Photographer Pete Springer
website blog instagram facebook g+
We need to have an option to make gallery Unavailable!
When the URL is then accessed the customer would get a screen saying this gallery is Unavailable or does not exist. Now it appears the gallery has been deleted. It's a REAL PAIN to create a new gallery, make it private, and move all the photos.