Domain Hosting vs Domain Masking
XO-Studios
Registered Users Posts: 457 Major grins
I noticed being a pro-user that smugmug doesn;t really use domain hosting, but uses domain masking.
When I share a picture http://www.xo-studios.com/photos/17971305-M.jpg, even tho this picture might be in a protected gallerie.
Now for more fun, try changing the picture number
17971305 to 17971306
http://www.xo-studios.com/photos/17971306-M.jpg
Even tho the domain name says XO-Studios, that is not my picture.
Sometimes, my pictures get sequantial numbers, sometimes they don't. (pending traffic)
Now I personally stopped using sharing, as ppl get bored and mess with the url and get to see others pictures, under my domain name.
I have contacted tech support at smugmug and their reaction is 'too bad, too sad' which to me means too sad indeed, as I can live with my pictures not being protected (i.e. I simply don't use share anymore) but I cannot live with others pictures showing under my domain name.
This technique btw is called domain masking, not domain hosting
example:
http://www.smugmug.com/photos/17971305-M.jpg
is identical to
http://www.xo-studios.com/photos/17971305-M.jpg
I am convinced that there should be a simpleway to block access to pictures that are not in any of my galleries, however so far smugmug tech support gives a 'not at home/not our problem' type of response.
FWIW,
YMMV,
XO,
When I share a picture http://www.xo-studios.com/photos/17971305-M.jpg, even tho this picture might be in a protected gallerie.
Now for more fun, try changing the picture number
17971305 to 17971306
http://www.xo-studios.com/photos/17971306-M.jpg
Even tho the domain name says XO-Studios, that is not my picture.
Sometimes, my pictures get sequantial numbers, sometimes they don't. (pending traffic)
Now I personally stopped using sharing, as ppl get bored and mess with the url and get to see others pictures, under my domain name.
I have contacted tech support at smugmug and their reaction is 'too bad, too sad' which to me means too sad indeed, as I can live with my pictures not being protected (i.e. I simply don't use share anymore) but I cannot live with others pictures showing under my domain name.
This technique btw is called domain masking, not domain hosting
example:
http://www.smugmug.com/photos/17971305-M.jpg
is identical to
http://www.xo-studios.com/photos/17971305-M.jpg
I am convinced that there should be a simpleway to block access to pictures that are not in any of my galleries, however so far smugmug tech support gives a 'not at home/not our problem' type of response.
FWIW,
YMMV,
XO,
You can't depend on your eyes when your imagination is out of focus.
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
0
This discussion has been closed.
Comments
First, I doubt they said "too bad, so sad" or gave you a "not at home, not our problem" answer. What probably happened is that they just didn't tell you what you wanted to hear.
Anyway, I have a pro account, and the same thing does not happen to me. When I try the second URL with either of the hostnames that point to my smugmug account, I get redirected to the hostname of the photo's owner.
yes no?
haha... only messin. I don't think support gave you the big middle finger... it's not their style.
MM Portfolio
Canon 30D | Canon 50mm f/1.8 | Tamron 28-75mm f/2.8 | Canon Speedlite 580ex
Actually, you're wrong on both counts. Smugmug doesn't do domain hosting - you need your own DNS servers, either through your registrar or other, to do your hosting. It looks like you have this.
We also don't do DNS masking.
Instead, we host your photo sharing and make it viewable at your fully-qualified hostname on your domain. It's like hosting a website, but not like hosting domains.
You're right! This is a bug and we'll get working on a fix. You'll notice that it doesn't happen for smugmug domains, just external domains, and it was an oversight. Sorry about that!
As the CEO, I take this very seriously. Can you please let me know what customer service reps you were dealing with so I can check their logs and see what went wrong? You should never receive answers like either of the above.
smugmug is devoted to five-star customer service across the board and I'm terribly sorry if we haven't met up to that standard. We'll make it right, and knowing who you were dealing with will help a great deal.
Thanks!
Don
-don
Thanks for the quick response, for more feedback, and the answer/email you were looking for please email me offlist (XO@XO-studios.com).
To the rest of you, I did get a quick response, and no I did not literary get told toobad/too sad, rather I got an answer that stated, it was just the way things were.
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
Thanks,
Levi
http://wallachville.smugmug.com
http://twelveblackcodemonkeys.com
Hmm. I'll be interested to see what the smugmug folks say about this behavior because I think it may be working as desired. I have marked a gallery private when I don't want the gallery to to be browseable or findable or searchable by the general public, but I want to share the URLs of specific images or even of the whole gallery with other people. So, I am using this as a feature and don't consider it a bug.
--John
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
I also do not believe that the above scenario is a bug.
-w
Consider the following scenrio, as I tried and used it exactly as such. You were at an event, doing what it is you do for a living.
You share a picture as a teaser.
http://xxx.yyyyy.zzz/photos/123456-m.jpg
Someone is smart enough to figure out that
http://xxx.yyyyy.zzz/photos/123457-m.jpg (pic number +1)
is a pic of that same event, a picture you never meant to share, and poof there goes potential revenue.
Or as the earlier bug said it leads to a picture of someone elses gallerie.
I am not sure about any of you, but I have some pictures in my galleries that are definitely not for general viewing.
FWIW,
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
-don
I, myself, don't expect marking a gallery private to protect it in the way you do. But, I do expect password protection on the gallery to protect ANY access to the gallery or ANY photos in the gallery without first entering the password.
I just ran a test and a password protected gallery is ONLY protected at the top level gallery level. If you have an URL to a photo or you guess an URL to a photo, you get to see it without providing the password. That seems like a serious security bug. You should be required to enter a password before viewing ANY photos in a password protected gallery. BTW, I don't have a custom domain so this problem exists even without that.
So XO-Studios, I test this because I thought a password protected gallery should provide the protection you seem to be interested in, but alas, that doens't currently work.
--John
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
Sebastian
SmugMug Support Hero
Do the test, you will find that once you know the URL to a picture changing external linking will not make a difference. Only outside linking will be disabled i.e. the use of the image as called for by an outside domain.
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
1) picture url's are not protected
2) other peoples pics will show under my domain
3) passwords do not protect individual files.
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.
--John
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
So as far as I'm concerned, having stuff show up under my url doesn't mean anything because the people who are accessing these are already fooling around and so should know that they might get something unexpected. What I'm MUCH more concerned about is the privacy of my clients (and my OWN, friends', and family's privacy), as well as the possibility that original images could be stolen...
http://wallachville.smugmug.com
http://twelveblackcodemonkeys.com
Maybe there is a delay before the settings work completely?
Sebastian
SmugMug Support Hero
This is by design and not a bug. Sorry!
Don
External linking, by definition, only works if you're coming to see the photo from an external link.
If you're coming from a smugmug link, it will work fine.
This, too, is by design - otherwise you wouldn't be able to see *any* of those photos at all, all access would be shut off.
Don
Quote:
Originally Posted by jfriend
I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.
--John
onethumb's reply:
"This is by design and not a bug. Sorry!"
Don
_________________________________
Any chance of beefing up the security on password protected galleries, Don? Other sites around do protect you from direct links or guessed url's when you enable password protection. The password protection system here at smugmug works sorta like pbase's hidden galleries. Not protected, just sorta hidden. Pbase is one site that does stop dlinking and guessing urls with it's password protection scheme. Maybe you guys can to get this level of protection here at smugmug in the not-to-distant future?
-don
How on smugmug are you supposed to protect/limit the viewing of an image URL to a specific audience so that there is no way for the general public to get to your image without knowing a password?
If I understand my own testing and your intent, password protection only requires the password if the user comes in the front door by browsing to the home page of the gallery. But, it doesn't protect against any form of individual access to the same images. Is there a reason that you'd want it to work that way? Or just some practical limitations that have led to it not being protected from this kind of access?
I'm asking to try to understand if I don't understand how you intend for a customer to solve this privacy issue (e.g. there's another way to do it)? Or, if you don't understand what we're asking for and why it seems important to us?
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
Smugmug has more than 19,000,000 photos online. "Guessed URLs" are pretty dang tough.
When we built the passworded feature, it intially protected images entirely from passworded links, and our customers blew up at us. They were furious when they'd accidentally link a photo to a forum post, blog entry, or the like and it wouldn't work. Our customer support costs shot through the roof and we were innundated with complaints.
We quickly switched it to allow linking to the images and everyone was happy. At least, until now.
I have a *really* hard time understanding how guessing your photos among 19,000,000 other photos constitutes a security risk. The only way they can even get one image URL from a given gallery is if you choose to feature a photo - not something I recommend if you're security conscious, and need I remind you, something that wouldn't be allowed at all if the password scheme applied to images as well as just galleries.
We'll continue to think about it and revisit it from time-to-time, as we do with all smugmug product decisions, but I really doubt it'll get changed.
Thanks for the feedback, though. Without it, smugmug wouldn't be the great place it is.
Don
If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.
But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.
Don
I do understand the balance between security and convenience. I deal with that balance all the time in the software and architecture design work I do in my job. At the same time, security features come with certain expectations and it's generally a pretty bad thing for a company when their actual security doesn't match the common expectations, no matter what convenience you are trying to offer. In fact, in our business, we're better off under-promising the security than over-promising it. If the customer actually wants the convenience they are enjoying rather than the real security, then the feature needs to be presented in a different way that doesn't imply security that isn't really being delivered. On the other hand, if the customer wants the security that's being implied, then that security should be delivered, not "sort-of" delivered.
I myself use some of the security conveniences you've built in. For example, I use "private" galleries, but put URLs to specific photos into public postings. I didn't really know how a private gallery should work (I had no preset expectations), but I tried it and it solved my problem. I want to be able to post specific images, but not allow people to browse the whole gallery from my home page. That's useful to me. But, a password protected gallery is a different beast. For "most" people, that will set an expectation that one cannot view the content without supplying the password no matter how you try to access it.
I agree that it's nearly impossible for someone to find a specific photo of mine by guessing an URL. That is like trying to find a needle in a haystack.
But, on the other hand, it's really, really easy to find lots of other people's photos by just changing numbers in the URL. Here's a progression I followed:
I started with a public URL of mine:
http://jfriend.smugmug.com/photos/15410531-M-1.jpg
I then changed a few digits in the number and got someone else's image here:
http://jamescho.smugmug.com/photos/15410743-M-1.jpg
I twiddled a few more numbers here and got this image:
http://butler.smugmug.com/photos/15410756-M-1.jpg
I twiddled a few more numbers and got this image:
http://freiburg1971.smugmug.com/photos/15410656-M-1.jpg
Further, this does not appear to be a sparse numeric space that makes it difficult to guess numbers that land on photos. In fact, every single number I tried around where I started landed on a photo.
I have absolutely no idea whether these images are supposed to be public or not. Unless you have hardly any password protected galleries on smugmug, it should be fairly easy for me to find some content that is meant to be password protected. And, once you find one thing you like you can probably find the rest of the images in the gallery (assuming they were uploaded at the same time) because it looks like the numbers will be in close proximity to the first one you find.
I did find out that if originals are turned off in a gallery that they cannot be accessed with a guessed URL so that seems to work.
My summary is that I'd suggest you think about this some more. I think you are implying a security feature that isn't being delivered (which is usually a bad thing). I would suggest that you either change the user expectation for the password feature by presenting/describing it differently or make it really work. You could even solve the backward compatibility problem by letting the user decide with a preference whether a password protected gallery should allow un-authenticated direct linking or not.
I hope I don't sound like I'm trying to be difficult here. I am generally pleased with smugmug and have referred many folks here (39 referral credits so far).
--John
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
When external linking is off and access a picture URL directly with my browser I shouldn't be allowed to see it, because the referrer-field should be empty then and that should be a sign for SM not to show the picture. Same thing when the picture is linked in a forum, then SM will get the referrer of the forum and therefore not allow to view the picture.
This should not interefere with gallery browsing, because then my browser would have the SM-domain as referrer.
I thought this is the way it works and for my understanding the differenciation between the cases should be not that hard. What am I missing?
Sebastian
SmugMug Support Hero
www.xo-studios.com/photos/19184525-M.jpg
Hi there Aunt Margie, I was in a theatre production, here is a backstage picture.
Aunt Margie or one of the cousins gets bored (picture number -1)
www.xo-studios.com/photos/19184524-M.jpg
I am not sure about your Aunt Margie, but mine definitely wasn't supposed to see that last picture. Quite often my pictures uploaded as a batch have sequantial numbers.
Both pictures are in a password protected galllery that is private. Originals and larges switched off.
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
image_url="http://www.smugmug.com/photos/"+X+"-M.jpg"
if exist(image_url) save(image_url)
X=X+1
I believe you get where I am getting at.
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
http://wallachville.smugmug.com
http://twelveblackcodemonkeys.com
I'm not sure why users were initially irate that they couldn't link to images in PRIVATE galleries, but considering the unlimited storage space, it seems silly why they couldn't just include the photos they want to publicly link to in another gallery that is public. But whatever the case is, I think there needs to be some way of locking images down so that they can't be retreived by "guessing" (or more likely "browsing"). How this is done doesn't concern me as much as that it is done and that instructions to do so are created and given to us...
http://wallachville.smugmug.com
http://twelveblackcodemonkeys.com
-don