Bear in mind this is trivially easy today, even with our password precautions. Anyone who has your password and re-distribute your photos however they'd like - they just save the photos (which they can since they have the password) and share them on ImageShack or Photobucket or where ever.
Watermarks are the only fool-proof security.
I guess the difference for me is that the onus is on me to make sure I only give out passwords to people I trust. That way, if a password gets out "into the world", I am responsible for that. In the new scheme, it seems like I lose the ability to control who gets access to my photos (thumbs), even if I password protect them.
If I have misunderstood the situation, please help me understand it better.
Just a wild thought.:D Why not just make all thumbnail links generic. www.smugmug.com/photos/xxxxxxxxx-Th.jpg
No reference to any user domain or nickname. So you only see the thumb and
gives no hint of whose it is?
That answers half the question. I can see why thumbnails from a passworded gallery won't be indexed by Google, but what about thumbnails from an unlisted (and unpassworded) gallery? Will Google now see those thumbnails under the proposed scenario?
Another way to ask the question: Will SmugIslands (specifically Hello World) continue to function as advertised with your implementation of looser thumbnails?
And a suggestion ... if you decide to loosen viewing restrictions on thumbnails, it might be nice to give us the option to force all thumbnails to the tiny size (100x100) for an extra measure of comfort.
SmugIslands still continues to function, yes. Google will not index pages, images, or text found on unlisted galleries even if it somehow stumbles across one.
Further, when your kids get a little older and you take and post pictures of school events, you will probably find the same thing I do - that many schools have policies about not sharing photos of school kids that aren't password protected. Those policies don't say anything about how large the photo has to be before it has to be password protected or whether it's OK if the URL is hard to guess. It just says that if it's password protected, then everyone is cool with it. In general the administrator policing the policy is non-technical so explanations about why you don't meet the rules are difficult at best. If I meet that bar, even when someone knows about all the warts in the implementation, then I'm fine. I don't meet that bar, I don't have an opportunity to change the rules. I just have to play by the rules or I can't post the photos without getting individual permission from each parent (an impracticality).
I believe the new scenario would totally satisfy this requirement, even were the school or group to get into the nitty gritty technical details. A password is still required in either case, and in either case once a password has been given, the photos can be misappropriated easily.
When faced with a compromise that doesn't seem ideal, what I've been doing since I was a customer, a user, a software developer, a software manager, a software VP and a software CTO was to challenge the engineers to come up with a better option that is less of a compromise (or perhaps no compromise). By making folks think about other options and asking pointed questions, we sometimes come up with a better option. While I am just a Smugmug customer in this instance, you asked for feedback on your proposal, so it's in that spirit that I will challenge it a bit and ask for something better.
When you let images get cached at the edges, don't those images have a cache expiration time? If only non-password protected images were allowed to be cached and the cache expiration time could be set to something like 24 hours couldn't we have a better solution.
If a customer had a non-password protected gallery, all thumbs could be cached at the edges of the network. Better performance than today.
If a customer had a password protected gallery, maximum security would be provided and access to the thumbs would still require a password like they do today. Same performance and security as today.
If a customer had a password protected gallery that they removed the password from, caching could begin immediately because you'd start allowing them to be cached immediately.
If a customer had a non-password protected gallery that was already cached and the customer added a password to the gallery, the front door to the gallery would immediately respect the password (like it does today) and the only compromise in this scenario from today is that the thumbs cached at the edge would have to "time-out" from the cache (e.g. 24 hrs) before they required a password to be accessed.
This seems to me a lot better that what you are proposing. The password on the gallery page would take effect immediately so the front door would immediately be blocked by the password. The password on the back door (guessing URLs or URLs posted without your permission) would be enforced as soon as the cache expired. Once the cache expires, they get full protection just like today. If the caching works differently than this, please explain so I can understand where the issue is.
Wish we could do this, but if we did, we'd run into a problem where the users' browser would no longer cache the content longer than 24 hours, which would result in a net negative (ie, pages would get slower than they are today). Every step of caching along the way has to honor the cache timeouts, including both the edge servers and the client's cache.
The other big issue (and there are more smaller ones) is that with >300M photos, we have a massive amount of "long tail" stuff that's rarely accessed. The idea is to get that stuff, even if it's "cold", out to the edge so when it's accessed for the first time in a month, it's still fast. If only "hot" stuff that's been accessed in the last 24 hours is on the edges, things don't improve much. Most of the hits are to cold content.
If you implement what you are proposing, a completely factual article could be written with a headline "Smugmug not enforcing full password protection on password protected galleries". The salient points in the article could be:
Thumbnail images do not require that a password be entered before they display.
While the URLs are not easy to guess, thumbnail images are following the logic of unlisted galleries (hard to guess), not password protected galleries (requires password be entered before display).
This was done on purpose to enhance performance and allow better edge network caching, so it's an intended design, not a bug.
If you need (or think you need) "full password" protection that works even against URL guessing, you should not use Smugmug.
Yes, you could write a rebuttal that explains why most users are fine with this because the URL guessing is hard, but by then the damage has already been done. Do you really want to go there or take the risk of ending up there?
Actually, that's why we're talking about it here, in the open. Because the obvious next step is for me to blog about exactly what we're doing and why. We certainly don't want to get into covering something up - that's not how we roll.
Be tough to write an "exposé" on this when the CEO wrote the article himself.
This is not something we're afraid of or trying to hide - *if* we implement it (and that's far from a foregone conclusion), we'd be open, upfront, and honest about how this is good for our customers and good for our customers' customers.
I hope this doesn't turn into an argument. You asked what we thought so I'm trying to explain what I think and hopefully offering some helpful reasoning.
I guess the difference for me is that the onus is on me to make sure I only give out passwords to people I trust. That way, if a password gets out "into the world", I am responsible for that. In the new scheme, it seems like I lose the ability to control who gets access to my photos (thumbs), even if I password protect them.
If I have misunderstood the situation, please help me understand it better.
I suppose this is one way of looking at it, but in your scenario, the "bad person" who had your old password would have had to be very diligent at copying down each and every URL in your gallery.
It's far more likely he would have just saved your photos instead, since that's both simpler and fool-proof.
Just a wild thought.:D Why not just make all thumbnail links generic. www.smugmug.com/photos/xxxxxxxxx-Th.jpg
No reference to any user domain or nickname. So you only see the thumb and
gives no hint of whose it is?
Unless I'm missing something, that's not the scenario we're trying to avoid here. If I'm wrong, and people are worried about this (and 'Hide Owner' doesn't cut it for them), I'm all ears.
Wish we could do this, but if we did, we'd run into a problem where the users' browser would no longer cache the content longer than 24 hours, which would result in a net negative (ie, pages would get slower than they are today). Every step of caching along the way has to honor the cache timeouts, including both the edge servers and the client's cache.
The other big issue (and there are more smaller ones) is that with >300M photos, we have a massive amount of "long tail" stuff that's rarely accessed. The idea is to get that stuff, even if it's "cold", out to the edge so when it's accessed for the first time in a month, it's still fast. If only "hot" stuff that's been accessed in the last 24 hours is on the edges, things don't improve much. Most of the hits are to cold content.
If you allow long lifetime caching in browsers and on the edge, how does replace photo work? It seems like I could replace the photo on my site and things linking to it (blogs, forum postings, web pages, etc...) wouldn't see the new version of the photo for a very long time because the old version would get served out of cache for a long time. Isn't that a problem? Or is this caching only for thumbs?
If you allow long lifetime caching in browsers and on the edge, how does replace photo work?
Currently, when you replace photo (or adjust thumbnails), pages point to a slightly modified URL for the image: -Th-1.jpg instead of -Th.jpg. This forces the user to retrieve the uncached image.
However, following on from John's question, currently the -Th.jpg will give the same file as the -Th-1.jpg. If there is distributed caching that does not expire, how will the caches know to update their copy of the file with the latest version?
How about the following solution:
Have subtly different URLs for images within a password-protected gallery from images within a non-password-protected gallery (e.g. different image keys, possibly combined with a different image directory - you need to make sure that the protected URL is not guessable from the non-protected one). Push the non-password-protected URLs to the network, but keep the password-protected ones at smugmug.
The sole disadvantage of this is that if a gallery became publiccally cached, then the old thumbnail URLs might still be accessible. However, no-one will be able to discover these "public" URLs, so the images are safe. (The only people who would have the public URLs are people who saved the non-password-protected html page, and they might as well have saved the images along with the page, so this is an extremely unlikely situtation.)
Can you dumb this down for me? Here's how I understand it -
You are proposing to stop requiring a password for thumbs from any gallery. In order for someone to see any one thumb, they have to guess the URL, which currently with Imagekey is a 1 in 600 million shot. Even if they guessed one thumb from a gallery, they only found that particular one. They don't get access to the rest of the thumbs from that gallery. They would have to guess each 1 in 600,000,000 code all over again for each thumb they wanted to steal.
Is that right or am I missing something?
And if I am right, then I say go for it and bring on the speed!
Currently, when you replace photo (or adjust thumbnails), pages point to a slightly modified URL for the image: -Th-1.jpg instead of -Th.jpg. This forces the user to retrieve the uncached image.
However, following on from John's question, currently the -Th.jpg will give the same file as the -Th-1.jpg. If there is distributed caching that does not expire, how will the caches know to update their copy of the file with the latest version?
so in the case of a replaced photo, your browser would ask the edge server for the new photo (1234-L-1.jpg). The CDN server wont have that photo so it will ask SmugMug for it and from then on, it will live out on the CDN.
The problem would be if someone had linked a -Th or -Ti on a forum or somewhere. That url would never be updated with the incremented url so the CDN would never know that it was replaced. I don't think this will be a huge deal because the combination of linked replaced thumbnails would probably be very rare.
Personally, this sounds like a great idea to me, but I don't think you're going to convince the people who feel like they have a legal or ethical obligation to preserve security, no matter how many times you say "but it's just the tiny thumbnails" or point out that third parties with access could already share photos.
I say don't let the CDN cache protected images. Just document the fact that once an image is unprotected, the thumbnails can never be re-protected. Those who want security will just have to follow a workflow that that doesn't ever load a security-required image into an unprotected gallery. The rest of us can just enjoy the fast page loads.
Or you could just replicate your entire data center to key points around the world.
Aren't you going to offer larger thumbs at some point? If so, I think everyone should consider this question with the largest thumb size in mind that would not require a password.
My personal opinion is that I want all sizes of a password protected image to require the password before it can be accessed including thumbs. When I put a password on a gallery of kid's sports photos, I'm doing it because I'm making a promise to the parents that a password is required before the images can be accessed. If I didn't need a password and thought that a hard-to-guess URL was OK, I'd use unlisted galleries and sharegroups instead. But, that isn't what parents expect. They are comfortable with a password so that's what I use and as long as I use the password and it actually protects the photos, nobody complains about their kid's photos being on the internet (in fact, they enjoy having the photos).
As for efficient caching in places that are close to us on the network, isn't there a way that you can make it so that non-password protected thumbs are cached and password protected thumbs are not?
I also want performance, but I don't think it makes sense to compromise the basic security promise to make things faster. Imagine the article that could be written about Smugmug that says that passwords don't really protect everything. Yeah, they are hard to guess, but if that's all the security someone wanted, then use an unlisted gallery. A password protected gallery is supposed to be held to a higher standard.
I have to agree with John on my sports photos. I password protect the gallery for a reason. I have had a town choose me as their photographer solely due to the fact that I password protect the photos of the kids.
Just a wild thought.:D Why not just make all thumbnail links generic. www.smugmug.com/photos/xxxxxxxxx-Th.jpg
No reference to any user domain or nickname. So you only see the thumb and
gives no hint of whose it is?
Allen -
While an interesting idea many firewalls block social websites etc but do not block my own personal domain name which means people would not see thumbs in this case.
One - I guess I got ahead of myself and should have read all the posts firsts before replying in the middle since some of my questions are now answered.
To back up John for a sec, when we give the passwords out to the parents we are putting the onus and responsibility on the parents to decide how secure they want their kids pictures to be. We are no longer as responsible. If a parent decides to share that with grandma or their child them self then they have done it. I didn't just hand out cards to anyone I could find and then I am responsible for the issue. The clubs I have dealt with have taken it very seriously and have also taken the personal responsibility part of it to heart. The number of thank yous I have gotten from coaches when a parent I don't know from Adam requests a password and I always forward the note to the coach to take care of is many.
I would love to see the speed improvements and I think I understand most of the arguments (and by the way FF3 makes a tremendous difference in speed) I still have a nagging feeling somewhere and need to figure out what it is. I am sure as this debate goes on it will surface.
The issue for pros might be connected to copyright and then the argument that watermarking and low res of thumbnails is enough protection is ok but smugmug is for family photos too. Smugmug has built it´s reputation on a claim of "easy to handle security". No accounts and logins but still bomb proof security. I don´t want my family life exposed on the internet. Even if it´s just thumbnail sizes. Password protection means password protection and that´s that. Thumbnails are enough for a good snooper to understand enough about my family habbits and recognize people in close-ups.
You can claim that hard to guess URLs are enough but there is a fundamental difference between passwords and "hard to guess". If my images are password protected and available only on your server then any access to my images is a clear violation of my rights. If the images are hard to find but public (and served in a third party cache) then they are technically public and I cannot prosecute anyone for accessing them.
When image recognition technology gets good I don´t want any private or government ownned "google bot like" engine searching through my images.
This is a fundamental difference in concept and if my family thumbnails go public then I will have to pull them out of the service. I believe many of your "family photo" users will too.
As DJ-S1 said, the chance of someone being able to figure out a URL to a thumbnail seems so remote, that I can't even fathom how or why someone would try.
I feel like I understand how it works, so I love to hear from people that don't want this implemented, how could someone who doesn't have the gallery password access the unprotected thumb? Would it be a matter of writing a script to guess all of the potentially different URLs?
SmugIslands still continues to function, yes. Google will not index pages, images, or text found on unlisted galleries even if it somehow stumbles across one.
That's good news. So long as SmugIslands functionality will not change (even for thumbnails), that satisfies my comfort level. My SmugMug site and galleries are not passworded because I want unfettered access for family/friends who know the URL. But I don't want to advertise our family photos to the world through Google searches. For this I rely on SmugIslands - and it does the job quite satisfactorily (thanks again for going through the effort to make that happen). I am not too concerned about the infrequent visitor who may stumble across our unpassworded SmugMug site in a random way. Those types of visits will be rare if our photos are not advertised through Google searches.
You can claim that hard to guess URLs are enough but there is a fundamental difference between passwords and "hard to guess". If my images are password protected and available only on your server then any access to my images is a clear violation of my rights. If the images are hard to find but public (and served in a third party cache) then they are technically public and I cannot prosecute anyone for accessing them.
I hate to point out the obvious, but I'm 99.99% sure your passwords are *far* easier to guess than our "hard to guess" thumbnail URLs.
And, of course, when they guess your password, they get access to all your images in that gallery (or your account with a site-wide password, or total control if they guess your login password, which is also easier to guess than our thumbnail URLs).
Now, this never happens, because guessing your password is also incredibly difficult so no-one bothers. But if they wanted to, it'd be easier than trying to guess the thumbnail URL.
I *may* have a solution whereby we can maintain our existing security *and* cache on the edge. I'm working it out now. I hope I can.
I don't want to derail this conversation, though, which is quite good, so by all means, please continue voicing any concerns, questions, agreements, or disagreements.
You can claim that hard to guess URLs are enough but there is a fundamental difference between passwords and "hard to guess". If my images are password protected and available only on your server then any access to my images is a clear violation of my rights. If the images are hard to find but public (and served in a third party cache) then they are technically public and I cannot prosecute anyone for accessing them.
When image recognition technology gets good I don´t want any private or government ownned "google bot like" engine searching through my images.
Robert
Any views on my post about the implications that "hard to guess" is technically public while password protected is oficcialy private?
Any views on my post about the implications that "hard to guess" is technically public while password protected is oficcialy private?
Robert
Don has a pretty good point. Neither is fully public. A fully public thing would be something you could browse to without having to guess anything.
A password protected gallery requires a password before offering access to the whole gallery.
An obscure URL requires an image number and an image key before offering access to the image represented by the URL.
One could guess the password and get access to the whole gallery.
One could guess the image number and image key and get access to that particular thumb.
If the image number and image key are harder for someone to guess than the password, then the passworded gallery is actually the weaker security and, conversely, the thumb URL is actually stronger security.
I know this seems a little couterintuitive. Passworded things seem like they're under lock and key and you can only get in once you have the password. Obscure URLs seem like they are sitting on the internet just waiting for someone to guess them so how could they possibly be as secure? But, that is just how it seems, not how it really is. Imagine that the obscure URL is actually a combination lock and that lock only produces the image when both the image number and the image key are entered into the lock. Now, perhaps you can see that it might even be more secure than your password protected gallery. It depends upon the quality of your password vs the image number/image key.
I fully understand the concept of "hard to guess" or "nearly impossible to guess" url. They may be in fact more secure than my password. The issue is not security but the underlying concept of making the images "publically available". I have no idea what kind of new bot / image interpreting software / new technology will be available out there. I have no idea who runs these third party caches and how they store/use the data that is there. What I do know is that google is making fortunes out organizing and providing universal access to publically available data. If my thumbnails are password protected it is clear to any law abiding company that they are not for public use. If they are not password protected, then they are publically avalilable (even though hard to find) and if found may be used at will. This is the real issue.
For hackers and identity theifs I trust Smugmug´s hard to guess urls and undisclosed anti guessing algorythms. More even than I trust my passwords (or friends for that matter)
I *may* have a solution whereby we can maintain our existing security *and* cache on the edge. I'm working it out now. I hope I can.
I don't want to derail this conversation, though, which is quite good, so by all means, please continue voicing any concerns, questions, agreements, or disagreements.
Hope this turns out to be true. However, if not, after a few days of mulling this over, I support your original proposal. Thanks for opening up the conversation.
Any views on my post about the implications that "hard to guess" is technically public while password protected is oficcialy private?
Robert
I guess that depends...
What prevents someone from guessing your password?
Or do you consider your password "hard to guess"?
Technically they just became the same. In some ways, the URL is probably harder to guess, so maybe your password protected galleries are public and the thumbs are private.
I don't personally have any problem with the proposed change (but I don't password protect my galleries). What I wanted to say is that Robert's sense of public vs. private still stands regardless of how relatively easy or difficult a password may be with respect to the URL. Unless SmugMug can somehow "brand" the URLS (explicitly) as secure that question of public/private makes all the difference. It may be a semantic argument but I think it is valid, particularly when, as Robert says, someone accesses your images without authorization. I'm not a lawyer, but I suspect you'd have an easier time getting redress if the perpetrator guessed a password than if they guessed a URL. Maybe it's just a matter of calling the URLs "encrypted" or something along those lines. Mostly just thinking "aloud" here.
It may be a semantic argument but I think it is valid, particularly when, as Robert says, someone accesses your images without authorization. I'm not a lawyer, but I suspect you'd have an easier time getting redress if the perpetrator guessed a password than if they guessed a URL.
Precisely my point. And it´s not only so to the eyes of the law, It´s to the eyes of the "perpetrator" too. When there was the blog post about Smugmugs security issues in the beginning of the year (the one that ended up in implementing keys on urls) I bet many of you (as I did) tried out different urls, just to se what came up (maybe those skinny dipping shots that were mentioned in the post). I didn´t feel I was doing anything wrong, after all if the photos were accessible via a link then they were public. But if the post said "I hacked into so and so´s account, here is the url and passoword" I bet many people would not click (I wouldn´t) because it just feels wrong.
This is just to illustrate the point that the semantic issue of public/private caused by the existance or not of a password (easy or not) is extremely relevant to the point. I will only consider my photos private if they have a password. I bet most of society feels that way too. And I´m glad for the hard to guess urls because they increase security, but it´s the easy to guess password that makes things private.
It´s like with the cops. They need a warrant to look inside my house but they can look freely into my open garage or in my trash. After all it´s in "plain sight". Unpassworded galleries (even though hard to find) are technically in plain sight.
Comments
OK, thanks, gs
http://georgesphotos.net
I guess the difference for me is that the onus is on me to make sure I only give out passwords to people I trust. That way, if a password gets out "into the world", I am responsible for that. In the new scheme, it seems like I lose the ability to control who gets access to my photos (thumbs), even if I password protect them.
If I have misunderstood the situation, please help me understand it better.
www.smugmug.com/photos/xxxxxxxxx-Th.jpg
No reference to any user domain or nickname. So you only see the thumb and
gives no hint of whose it is?
My Website index | My Blog
SmugIslands still continues to function, yes. Google will not index pages, images, or text found on unlisted galleries even if it somehow stumbles across one.
I believe the new scenario would totally satisfy this requirement, even were the school or group to get into the nitty gritty technical details. A password is still required in either case, and in either case once a password has been given, the photos can be misappropriated easily.
Wish we could do this, but if we did, we'd run into a problem where the users' browser would no longer cache the content longer than 24 hours, which would result in a net negative (ie, pages would get slower than they are today). Every step of caching along the way has to honor the cache timeouts, including both the edge servers and the client's cache.
The other big issue (and there are more smaller ones) is that with >300M photos, we have a massive amount of "long tail" stuff that's rarely accessed. The idea is to get that stuff, even if it's "cold", out to the edge so when it's accessed for the first time in a month, it's still fast. If only "hot" stuff that's been accessed in the last 24 hours is on the edges, things don't improve much. Most of the hits are to cold content.
Actually, that's why we're talking about it here, in the open. Because the obvious next step is for me to blog about exactly what we're doing and why. We certainly don't want to get into covering something up - that's not how we roll.
Be tough to write an "exposé" on this when the CEO wrote the article himself.
This is not something we're afraid of or trying to hide - *if* we implement it (and that's far from a foregone conclusion), we'd be open, upfront, and honest about how this is good for our customers and good for our customers' customers.
Can't imagine an argument with you.
This is how I see it, too.
I suppose this is one way of looking at it, but in your scenario, the "bad person" who had your old password would have had to be very diligent at copying down each and every URL in your gallery.
It's far more likely he would have just saved your photos instead, since that's both simpler and fool-proof.
Unless I'm missing something, that's not the scenario we're trying to avoid here. If I'm wrong, and people are worried about this (and 'Hide Owner' doesn't cut it for them), I'm all ears.
If you allow long lifetime caching in browsers and on the edge, how does replace photo work? It seems like I could replace the photo on my site and things linking to it (blogs, forum postings, web pages, etc...) wouldn't see the new version of the photo for a very long time because the old version would get served out of cache for a long time. Isn't that a problem? Or is this caching only for thumbs?
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
However, following on from John's question, currently the -Th.jpg will give the same file as the -Th-1.jpg. If there is distributed caching that does not expire, how will the caches know to update their copy of the file with the latest version?
How about the following solution:
Have subtly different URLs for images within a password-protected gallery from images within a non-password-protected gallery (e.g. different image keys, possibly combined with a different image directory - you need to make sure that the protected URL is not guessable from the non-protected one). Push the non-password-protected URLs to the network, but keep the password-protected ones at smugmug.
The sole disadvantage of this is that if a gallery became publiccally cached, then the old thumbnail URLs might still be accessible. However, no-one will be able to discover these "public" URLs, so the images are safe. (The only people who would have the public URLs are people who saved the non-password-protected html page, and they might as well have saved the images along with the page, so this is an extremely unlikely situtation.)
You are proposing to stop requiring a password for thumbs from any gallery. In order for someone to see any one thumb, they have to guess the URL, which currently with Imagekey is a 1 in 600 million shot. Even if they guessed one thumb from a gallery, they only found that particular one. They don't get access to the rest of the thumbs from that gallery. They would have to guess each 1 in 600,000,000 code all over again for each thumb they wanted to steal.
Is that right or am I missing something?
And if I am right, then I say go for it and bring on the speed!
so in the case of a replaced photo, your browser would ask the edge server for the new photo (1234-L-1.jpg). The CDN server wont have that photo so it will ask SmugMug for it and from then on, it will live out on the CDN.
The problem would be if someone had linked a -Th or -Ti on a forum or somewhere. That url would never be updated with the incremented url so the CDN would never know that it was replaced. I don't think this will be a huge deal because the combination of linked replaced thumbnails would probably be very rare.
I say don't let the CDN cache protected images. Just document the fact that once an image is unprotected, the thumbnails can never be re-protected. Those who want security will just have to follow a workflow that that doesn't ever load a security-required image into an unprotected gallery. The rest of us can just enjoy the fast page loads.
Or you could just replicate your entire data center to key points around the world.
I have to agree with John on my sports photos. I password protect the gallery for a reason. I have had a town choose me as their photographer solely due to the fact that I password protect the photos of the kids.
I like the idea of choosing on or off.
Brian
http://photos.katzclix.com
blog - http://blog.katzclix.com
While an interesting idea many firewalls block social websites etc but do not block my own personal domain name which means people would not see thumbs in this case.
Brian
http://photos.katzclix.com
blog - http://blog.katzclix.com
To back up John for a sec, when we give the passwords out to the parents we are putting the onus and responsibility on the parents to decide how secure they want their kids pictures to be. We are no longer as responsible. If a parent decides to share that with grandma or their child them self then they have done it. I didn't just hand out cards to anyone I could find and then I am responsible for the issue. The clubs I have dealt with have taken it very seriously and have also taken the personal responsibility part of it to heart. The number of thank yous I have gotten from coaches when a parent I don't know from Adam requests a password and I always forward the note to the coach to take care of is many.
I would love to see the speed improvements and I think I understand most of the arguments (and by the way FF3 makes a tremendous difference in speed) I still have a nagging feeling somewhere
Brian
http://photos.katzclix.com
blog - http://blog.katzclix.com
You can claim that hard to guess URLs are enough but there is a fundamental difference between passwords and "hard to guess". If my images are password protected and available only on your server then any access to my images is a clear violation of my rights. If the images are hard to find but public (and served in a third party cache) then they are technically public and I cannot prosecute anyone for accessing them.
When image recognition technology gets good I don´t want any private or government ownned "google bot like" engine searching through my images.
This is a fundamental difference in concept and if my family thumbnails go public then I will have to pull them out of the service. I believe many of your "family photo" users will too.
Robert
As DJ-S1 said, the chance of someone being able to figure out a URL to a thumbnail seems so remote, that I can't even fathom how or why someone would try.
I feel like I understand how it works, so I love to hear from people that don't want this implemented, how could someone who doesn't have the gallery password access the unprotected thumb? Would it be a matter of writing a script to guess all of the potentially different URLs?
Just as a note, we have specific ways to deal with this. I don't know how much we are willing to reveal beyond what Don said:
"And, of course, while someone is guessing, we're busy watching them guess (and fail) and taking corrective action."
But rest assured, we don't just let people make it a guessing game with a script.
I hate to point out the obvious, but I'm 99.99% sure your passwords are *far* easier to guess than our "hard to guess" thumbnail URLs.
And, of course, when they guess your password, they get access to all your images in that gallery (or your account with a site-wide password, or total control if they guess your login password, which is also easier to guess than our thumbnail URLs).
Now, this never happens, because guessing your password is also incredibly difficult so no-one bothers. But if they wanted to, it'd be easier than trying to guess the thumbnail URL.
I don't want to derail this conversation, though, which is quite good, so by all means, please continue voicing any concerns, questions, agreements, or disagreements.
Any views on my post about the implications that "hard to guess" is technically public while password protected is oficcialy private?
Robert
Don has a pretty good point. Neither is fully public. A fully public thing would be something you could browse to without having to guess anything.
A password protected gallery requires a password before offering access to the whole gallery.
An obscure URL requires an image number and an image key before offering access to the image represented by the URL.
One could guess the password and get access to the whole gallery.
One could guess the image number and image key and get access to that particular thumb.
If the image number and image key are harder for someone to guess than the password, then the passworded gallery is actually the weaker security and, conversely, the thumb URL is actually stronger security.
I know this seems a little couterintuitive. Passworded things seem like they're under lock and key and you can only get in once you have the password. Obscure URLs seem like they are sitting on the internet just waiting for someone to guess them so how could they possibly be as secure? But, that is just how it seems, not how it really is. Imagine that the obscure URL is actually a combination lock and that lock only produces the image when both the image number and the image key are entered into the lock. Now, perhaps you can see that it might even be more secure than your password protected gallery. It depends upon the quality of your password vs the image number/image key.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
For hackers and identity theifs I trust Smugmug´s hard to guess urls and undisclosed anti guessing algorythms. More even than I trust my passwords (or friends for that matter)
Robert
Hope this turns out to be true. However, if not, after a few days of mulling this over, I support your original proposal. Thanks for opening up the conversation.
Swim for Them | WellmanHouse.net | AlbumFetcher | SmugShowBuilder
I guess that depends...
What prevents someone from guessing your password?
Or do you consider your password "hard to guess"?
Technically they just became the same. In some ways, the URL is probably harder to guess, so maybe your password protected galleries are public and the thumbs are private.
Precisely my point. And it´s not only so to the eyes of the law, It´s to the eyes of the "perpetrator" too. When there was the blog post about Smugmugs security issues in the beginning of the year (the one that ended up in implementing keys on urls) I bet many of you (as I did) tried out different urls, just to se what came up (maybe those skinny dipping shots that were mentioned in the post). I didn´t feel I was doing anything wrong, after all if the photos were accessible via a link then they were public. But if the post said "I hacked into so and so´s account, here is the url and passoword" I bet many people would not click (I wouldn´t) because it just feels wrong.
This is just to illustrate the point that the semantic issue of public/private caused by the existance or not of a password (easy or not) is extremely relevant to the point. I will only consider my photos private if they have a password. I bet most of society feels that way too. And I´m glad for the hard to guess urls because they increase security, but it´s the easy to guess password that makes things private.
It´s like with the cops. They need a warrant to look inside my house but they can look freely into my open garage or in my trash. After all it´s in "plain sight". Unpassworded galleries (even though hard to find) are technically in plain sight.
Robert