Change in SmugMug URLs for better privacy
Baldy
Registered Users, Super Moderators Posts: 2,853 moderator
Some of you have been reading the debate in the blogosphere about SmugMug URLs to private images being too easily guessable. The blogs were not written by our customers, but they do make some good points. We've received a few dozen emails in response and they tend to fall into 3 camps:
1. Leave it as is. Your URLs are short and simple. Don't use GUIDs and mess your URLs up by having strings that look like:
3F2504E0-4F89-11D3-9A0C-0305E82C3301
in them.
2. The problem is SmugMug's choice of words. You should say "unlisted" or "hidden", not "private."
3. Can't you do something simpler than a long GUID so your URLs don't get so messed up but they're harder to guess?
So here's a proposal:
What if we were to add 6 characters--an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.
This would apply to images going forward, public or private. For the 250,000,000 images on the site now, in order to give them a new URL, you'd have to move them to a new gallery. The downside is their new URLs would break any links to them right now that you have in forums or blogs.
Is this solution reasonable? If not, can you tell us why? Any other ideas?
Does this fit your definition of privacy? I have an email in my box from a customer who loves us but is shocked that we would think any image that can be seen by any other person could be considered private. In other words, when he marks a gallery as private, giving the URL to a friend would not enable them to get into the gallery. Anyone else feel that it should work that way?
Thanks for your feedback. We'd like to think this through and get it right but we don't want much time to pass either.
Thanks,
Baldy
1. Leave it as is. Your URLs are short and simple. Don't use GUIDs and mess your URLs up by having strings that look like:
3F2504E0-4F89-11D3-9A0C-0305E82C3301
in them.
2. The problem is SmugMug's choice of words. You should say "unlisted" or "hidden", not "private."
3. Can't you do something simpler than a long GUID so your URLs don't get so messed up but they're harder to guess?
So here's a proposal:
What if we were to add 6 characters--an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.
This would apply to images going forward, public or private. For the 250,000,000 images on the site now, in order to give them a new URL, you'd have to move them to a new gallery. The downside is their new URLs would break any links to them right now that you have in forums or blogs.
Is this solution reasonable? If not, can you tell us why? Any other ideas?
Does this fit your definition of privacy? I have an email in my box from a customer who loves us but is shocked that we would think any image that can be seen by any other person could be considered private. In other words, when he marks a gallery as private, giving the URL to a friend would not enable them to get into the gallery. Anyone else feel that it should work that way?
Thanks for your feedback. We'd like to think this through and get it right but we don't want much time to pass either.
Thanks,
Baldy
0
Comments
That seems like a nice idea to me. I also don't like the GUID idea as then we end up going down the TinyURL route which removes benefit of using our own domain name (photos.miseast.org/...).
I love the granularity of the security settings and have completely understood what 'private' meant but I can also see that with 5 different switches the number of options may be a little overwhelming for folks just arriving. Maybe you could also have a 'Quick Security' drop down box with just a couple of options that set the other switches up: e.g. 'Only people I invite with the password (most secure)', 'Anyone who knows the link to the gallery can see the pictures (less secure but simpler)', 'Everyone can see my photos but can't get the originals'. Clearly these aren't all of the possible options but the idea is not to iterate all of the possible options - just to give a small easily understood subset.
Rich
One way to make sure people don't miss the choices is to combine them into one choice for "security". Currently there are quite a few choices there and most poeple probably don't understand the implications of all of them. I propose you combine the private, external linking fields into a drop-down list with the options:
- Public/Direct Links Allowed
- Public/Direct Links Prohibited
- Unlisted/Direct Links Allowed
- Unlisted/Direct Links Prohibited
and then explain how even on an unlisted gallery with direct links enabled, people could still get to your photos. You could even included password in the list too, but then it becomes 8 choices.
-Scott
scwalter.smugmug.com
My suggestion would be a very well-thought-out tweak to the security settings UI and verbage.
As for the GUIDs... Seems like a good idea, too. The current system is simple enough, but it's not like I'm typing out or trying to remember URLs or image IDs. Copy and pasting a URL isn't going to get any more complicated by adding 6 characters. (The proposal of applying this to new/moved images is a good one.)
Thanks for your openness, your calm, and your solicitations for feedback. You guys all did a great job of not turning this thing into a torchfest.
Swim for Them | WellmanHouse.net | AlbumFetcher | SmugShowBuilder
Sebastian
SmugMug Support Hero
I believe this is primarily a terminology problem. Among the existing privacy options (private, password protection, external linking), I feel you already give me enough tools to manage the protection of my photos. IMO, adding more options will increase the combinations of the settings, and probably complicate things even further. If I really want to lock down my photos, can't I just make them private and password protected?
Having said that, I would tend agree that "private" might be a poor choice of terms, and perhaps you should consider renaming it. Aside from that, I would leave things alone.
Mark
But I do think the original blog had a point that it is just slightly too easy to walk the image tree this way. A little too easy for comfort. It's just a matter of time before we'll indeed see some large zip with lots of private unprotected images on bittorrent. Try and explain that with a straight face to the person in your inbox Baldy. Thats a discussion Smugmug can't possibly win. Even if they are somewhat correct in that you cant get a specific image, that may not be the point of this as MySpace recently found out.
I think SM has no choice but to add some kind of extra characters. You cant just ignore this issue because there is a large imbalance in the consequences of this issue. People that think their images are truly private, say nude pictures of themselves, face severe consequences through exposure. While adding a few extra chars hurts almost no one to the same effect.
Personally I dont mind if SM uses GUIDs. I dont really understand why people get so worked up about URLs. It's not like you have to remember them. Maybe SM could somehow combine GUID with a non-hacky way to beautify your URLs. But if there is really that much resistance to GUID, 5 extra characters would work for me.
Or I have a totally different option. Allow people to add to the basic URL with their own selection. A small text box like:
http://uwimages.smugmug.com/gallery/3988206[_fill in yourself with a max of X] to become http://uwimages.smugmug.com/gallery/3988206_underwater.
That way, you could give every single existing URL that option, but make it empty. People can opt to fill it in, to change the URL to that specific gallery without having to copy all images to a new gallery. I would say that is MUCH harder to brute force than a pre-defined string.
Cor
http://uwimages.smugmug.com
I agree with Scott that the problem is the use of the word private. I like his suggestions (above). And it seems to me that people who really want to hide their world should be using smugislands.
My vote? Leave the url structure as is and change the use of the word "private".
Also - I link to my photos extensively, so I also agree that you shouldn't change the existing URLs unless the owner of the gallery indicates that they should be changed.
--- Denise
Musings & ramblings at https://denisegoldberg.blogspot.com
I would like to comment that I believe a small bit of the problem is that the settings and configurations for this stuff are 1) skattered and 2) waaayyy too cute. You guys provide tons of good features, but then put them all over the config panels (better now with new panels), but also obscure them in funky words like 'smug islands' and 'hello world' etc. I mean I am all for having fun, but WTF do those mean? Why not use plain english when it comes to critical privacy settings, so we don't have to go use the Smugmug interpretation bible whenever we want to protect something? Put the cute elsewhere.
First and foremost, this is a terminology problem. I do like the idea of changing private to unlisted.
Second - Please don't make extremely long urls. When I post a link to a single picture in a forum, or send a link to a friend, the urls are already too long. Once the url wraps to more than one line, many email readers don't handle the link properly. The is especially a problem when a wrapped link is in the quoted part of message thread.
As for tinyurl? Personnaly, I never click on tinyurls. I like to know where I'm going.
http://georgesphotos.net
By the way, with this issue getting attention and many people trying it out for themselves, I believe one of my private galleries has been accessed: the stats show 1 access to medium size for every photo, with no accesses to thumbnails or any other sizes. I've changed all my private galleries to also hide owner (although there may still be identifying info in the photos themselves, or in the comments) for now, but I'm waiting for a real solution. I'm also very troubled by the reports that fully protected photos, in password protected galleries and no external links, can be accessed (the contest image). Looking forward to this issue getting fixed too, and explanation of the details afterwards.
I personally don't care what the URL is, it doesn't affect me in the least. To Georges: Every email product I know of allows you to paste links into clickable text, like this. That eliminates any problem with super long links not working properly in emails.
I have to agree that the terminology is one of the big problems here. The word "private" means something very specific in Smugmug, and I think it is explained very well. However, if people don't read/don't understand/don't remember this then what happens? Obviously the person thinks that the standard Websters definition applies.
I would change the security gui a bit; maybe a "no protect", "medium protect" and "max protect" option for simple use and still have the total granularity available for advanced users?
Right now you have 6 main options, and so you have what, 64 possible settings? (It's been a long time since high school
Public=no
Hello World=no
Hello Smuggers=yes
ext. links=no
protected=no
hide owner=yes
Exactly how locked down is that gallery?
As I'm typing this I also realized that setting the first 4 of those options to "no" makes the gallery more secure, but the reverse is true for the last 2 settings. Maybe they should all be one way; set everything to "no" and it's the most secure?
Just my thoughts - I'm very confident you folks will figure out the best solution for all concerned.
2) I agree with others that terminology is the enemy here. From my experience, especially in a multi-lingual global marketplace, you will never find a single set of terms/phrases that will appropriately describe the behavior. I have noticed in the blog entries, and in these messages here, a sense of "EVERYONE INTERPRETS THE WORD 'PRIVACY/UNLISTED/WHATEVER' IN THE SAME WAY I DO." Ah, if only.
2a) I humbly suggest a use-case based description of what each setting will and will not allow. Please include best and worst case scenarios to the best of your knowledge. Choose whatever terminology/descriptor you like. Think about describing the behavior of three 'users': I) Smugmug gallery owner, II) a person you want to view your photo(s), and III) a 'bad guy' who would like to steal/share your photo.
2b) Just as a final comment, SM's current terminology and descriptions are confusing to me. (I am a casual user. I am a native English speaker. I have had computers in my life since the age of 10. I have a graduate degree. I am in the tech industry. I am under 40.)
3) GUIDs are good. An option to turn on/off GUIDs for a gallery would be ideal from a user perspective. Users who still want the old linking/easy iteration can keep it. Those of us who dislike the easy access can shut it down. I don't know anything about SM's limitations from a structural standpoint, so weigh it against your costs. To revisit point 2, not everyone will understand what a GUID is, so use-case based descriptions will be necessary.
I agree I like things the way they are
Maybe newbies dont understand that private (or by clicking NO option by the public setting) really means that they are still open for anyone to view but someone would have to know your url.
I also agree here with this above.... maybe these three "no protect", "medium protect" and "max protect" may help, because maybe those 6 options we have to select now could be a bit confusing to newbies
Canon 60D
Canon Rebel XTi (400)
Canon 10-22mm, Canon 50mm f/1.8 II
MacBook, MacPro
And I certainly don't want links to existing photos to change; I link to my photos from my blog and from other places on the web as well. Broken links would not make me happy.
I also have a hard time believing that adding another number onto a generated album or photo id would improve things at all. Changing the word "private" to reflect the english word for what private does today in smug makes more sense to me.
--- Denise
Musings & ramblings at https://denisegoldberg.blogspot.com
When I first signed up a year ago, there was a bit of a learning curve when it came to figuring out what the different terminology meant, but after I understood it made perfect sense. I agree with changing the terminology to potentially ease that learning curve, but it really makes no difference to me today.
Then you go on saying that the existing options make perfect sense, but you still wouldn't mind having them changed -- while at the same time it sounds like you oppose changing the last component of the URL, which has no effect on user interface, learning curve, understandability of options, etc.
olegos, I'm not understanding you. If you want your photos completely private, why wouldn't you turn off all external links? When you set your galleries to allow external linking, you're making them available.
Also, as you allude, I said nothing about changing the existing options, rather changing the terminology.
I've also become jittery about the word private. There are many dictionary definitions, but this one resonates:
Not open or accessible to the general public: a private beach.
There are many ways your private URLs could become public without changing your settings. If you publish your private link in a dgrin post, for example, Google will index it and people will see your photos.
Unlisted is more like your phone, no? You can make sure you don't list it, but you know that if the number gets out people can call it. Isn't that clearer?
We're not ignoring what you're saying in this thread, we think it's great. My inclination from what I've read so far is to add the 6 characters to every URL to make them incredibly hard to guess but not make them insanely long like a GUID would do. And to refer to private photos/galleries as unlisted.
No decisions have been made so if we're being bone-headed, set us straight.
Thanks,
Baldy
just saying.....
You may have a gallery you don't want people to discover on your SmugMug pages but you do want to post some of the photos in the gallery to a forum. There are many reasons why someone might want to do that. For example, some guy on my motorcycle forum came up with a great Photoshop of one of our most popular members. We didn't want him to know who dunnit, so we placed it in a private gallery with links turned on:
this echoes my comments also. The terms are arbitrary (but prone to misunderstanding regardless of which way you go, ie listed/unlisted is just as bad as public/private), it's the functionality of each setting that matters...which precise use-case descriptions would give.
You'd be better off just having LEVEL I, LEVEL II, LEVEL III, etc of privacy. Following interface design standards to meet 80% of your user-population's understanding with additional, advanced tools/settings for the power-users is where I would go based on my cursory understanding of Cooper-style analysis.
Baldy, I think the source of the problem is that the image (and gallery) ID is numeric AND sequential. Leaving the URL the same length as now, but having the ID be a random sequence of upper and lowercase letters and numbers (maybe increase the length by two or three characters for future growth) would make the situation very much better than it is now, probably good enough, while not making the URLs much "worse" for those who care.
Mark
If you violate your privacy settings by placing a link to a gallery or image in a forum, we tell Google not to index it.
While Google behaves honorably when you tell them not to index something, your mileage may vary with evil spammer pedophiles.
Dgrin FAQ | Me | Workshops
Sounds like a winner to me.
Swim for Them | WellmanHouse.net | AlbumFetcher | SmugShowBuilder
I posted about this here, so in case you were wondering how this all started, and SmugMug's response here's the links:
http://blogoscoped.com/archive/2008-01-28-n59.html
http://blogs.smugmug.com/don/2008/01/28/your-private-photos-are-still-private/
http://blogs.smugmug.com/don/2008/01/28/first-two-security-winners/
As I commented on Don's last post, I really would love a little transparency into the "hacks" used to win the prize. Especially if the holes have now been fixed.
I've known about the CNAME redirect for awhile, but never really considered it a bug, since I actually am looking for a way to *find this information*.
Anyways, interesting stuff though. I'm bummed I missed my chance to make some money!
Say I see someone's public vacation photos. I suspect that there may be more photos from there, that the person is sharing with their familiy, but not the world. So I write a quick script to go over URLs with IDs in that vicinity, and can even automatically pre-filter the results based on say EXIF info. How likely do you think I'm to discover photos I'm not supposed to be seing?
I don't even need to search over the whole namespace, as Don's blog posts imply. If approximate time of the photos is known, the search space gets a lot smaller. Regardless of terminology, this is WRONG.