Does Smugmug consider this security issue a bug?

jfriendjfriend Registered Users Posts: 8,097 Major grins
edited May 24, 2006 in SmugMug Support
I think this has been discussed before, but I don't know what the resolution was and I'd like to know if Smugmug considers this a bug worth fixing or not.

First, password protect a gallery.

Then, go to one of the images in the gallery. All URLs for gallery pages do require a password before access is granted. For example, this URL: http://jfriend.smugmug.com/gallery/1293128/1/60513030 requires password protection.

But, a direct link to the same image does not require a password before the image is shown. This image: http://jfriend.smugmug.com/photos/60513030-L.jpg will display without any password prompt.

This seems like a security design flaw to me. Shouldn't all access to an image require that the password be provided before access is granted? Is there a reason that smugmug doesn't want to offer this full protection?

Here are some of the practical issues that arise out of this implementation:
1) You can't cut off direct linking by adding a password to a gallery.
2) You can't control access to images "after-the-fact" by adding a password to a gallery. Once the image URLs are known, they are accessible, even if you subsequently add a password.
3) You can't prevent one person from giving out URLs to password protected images, even by changing the password. So, once a gallery is compromised, there's no way to re-secure it without deleting it and starting over.
4) Because image URLs are quasi predictable (e.g. they aren't a sparse numeric space and they appear to be roughly sequentially increasing), it's easy to guess lots of image URLs, some of which will be in pwd protected galleries and not be challenged for a password before viewing them. You try this yourself. Pick an image URL from one of your own galleries. Then change one digit in the last part of the URL and the browser will usually display a different image (likely not yours). Some of these other images that you can find in this manner will be in private galleries and some will be in password protected galleries.

I was trying to think of an analogy that describes this. It feels like you are locking the front door (with the password), but there's an unlocked side door that's fairly hidden. The only protection is that most people don't know about the hidden, unlocked side door. Since the key to the protection is the obscurity of the unlocked side door, folks in the security business often refer to this type of protection as obscurity rather than security. Sometimes obscurity can be appropriate, but in this case, it feels like there's some consequences which make me uncomfortable and, I think, would make others uncomfortable if they understood it too.
--John
HomepagePopular
JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
«1

Comments

  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited May 9, 2006
    John,

    I turned of external links in that gallery and then the image

    http://jfriend.smugmug.com/photos/60513030-L.jpg

    is not viewable by me.

    Is that not what you'd expect...? Or, do you want your cake and eat it too lol3.gif
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited May 9, 2006
    Should external linking be off by default in pwd protected galleries
    Andy wrote:
    John,

    I turned of external links in that gallery and then the image

    http://jfriend.smugmug.com/photos/60513030-L.jpg

    is not viewable by me.

    Is that not what you'd expect...? Or, do you want your cake and eat it too lol3.gif

    Please do not mess with my gallery settings without asking. I turned external linking back on because I want others who read this thread to be able to understand the current state of affairs. This is not a sensitive gallery which is why I picked it for this demonstration.

    I guess that turning off external linking is a partial solution. I don't know the details of what all that really prevents to know if that's a full solution or not.

    I think you should consider that your service would be considerably more secure for most users if you automatically switched off external linking when a gallery password is configured (Ok with me if a user then turns external linking back on, then they are getting what they asked for). As it is I would bet that something like >95% (maybe even 99%) of the password protected galleries on smugmug have not turned off external linking, are not aware of their current vulnerabilities and thus they think they are more secure than they actually are.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited May 9, 2006
    jfriend wrote:
    Please do not mess with my gallery settings without asking. I turned external linking back on because I want others who read this thread to be able to understand the current state of affairs.
    Fine - but it's a flawed example :D
    jfriend wrote:
    This is not a sensitive gallery which is why I picked it for this demonstration.

    I guess that turning off external linking is a partial solution. I don't know the details of what all that really prevents to know if that's a full solution or not.
    Whenever an image is delivered outside of SmugMug, you and we, have no control over it. If you allow external linking, then the image is gettable. My point in turning the links off, was to show that if the gallery is set properly, your scenario doesn't play out.

    jfriend wrote:
    I think you should consider that your service would be considerably more secure for most users if you automatically switched off external linking when a gallery password is configured (Ok with me if a user then turns external linking back on, then they are getting what they asked for). As it is I would bet that something like >95% (maybe even 99%) of the password protected galleries on smugmug have not turned off external linking, are not aware of their current vulnerabilities and thus they think they are more secure than they actually are.
    The problem with setting ext links to OFF by default, is that way the majority of folks want this ability.

    I'll see if we can make our doco more clear.
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited May 9, 2006
    I'm done
    Andy wrote:
    Fine - but it's a flawed example :D

    Whenever an image is delivered outside of SmugMug, you and we, have no control over it. If you allow external linking, then the image is gettable. My point in turning the links off, was to show that if the gallery is set properly, your scenario doesn't play out.



    The problem with setting ext links to OFF by default, is that way the majority of folks want this ability.

    I'll see if we can make our doco more clear.
    Well, you've pissed me off with your tone and defensive attitude so I think I'll bow out of this discussion. I thought I was pointing out a legitimate issue that likely afflicts a lot of your customers. And, then I thought I made a very practical and productive suggestion which I don't think you took the time to understand.

    I suggested that when a user assigns a password to a gallery, then and only then you should turn external linking to off. Changing some doc won't make much of a difference on this one.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited May 9, 2006
    jfriend wrote:
    Well, you've pissed me off with your tone and defensive attitude so I think I'll bow out of this discussion. I thought I was pointing out a legitimate issue that likely afflicts a lot of your customers. And, then I thought I made a very practical and productive suggestion which I don't think you took the time to understand.

    I suggested that when a user assigns a password to a gallery, then and only then you should turn external linking to off. Changing some doc won't make much of a difference on this one.

    Signing off.
    Whoa!

    Wow John, I can see you are upset about this. If you've taken my words for anything other than genuinely good discussion about the topic, I'm terribly sorry!

    See, that's why I try to use emoticons when I type messages here.

    We very much appreciate your input, and it's highly valued. You take the time to carefully tell us how you feel about an issue, and then you lay it out to us.

    Now what part of me saying I'll see if we can improve our help docs says to you that I'm being defensive about this? ear.gif
  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited May 9, 2006
    John,

    A) I see your point about external links. I didn't at first, as it's intended behavior, but I do now.

    B) Andy's just trying to help, he's far from perfect, but generally does a pretty good job.

    C) You going off in a huff doesn't serve anyone. Even if Andy had been a condescending Richard (which I don't think he was), just let him know how you feel, and he'll make adjustments. I don't know, but for all the great service and support we get, I feel a little slack here is merited, and getting ticked off and taking your ball home just doesn't serve anyone.
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited May 9, 2006
    OK, let's discuss it further
    DavidTO wrote:
    John,

    A) I see your point about external links. I didn't at first, as it's intended behavior, but I do now.

    B) Andy's just trying to help, he's far from perfect, but generally does a pretty good job.

    C) You going off in a huff doesn't serve anyone. Even if Andy had been a condescending Richard (which I don't think he was), just let him know how you feel, and he'll make adjustments. I don't know, but for all the great service and support we get, I feel a little slack here is merited, and getting ticked off and taking your ball home just doesn't serve anyone.
    OK, thanks for bring me back to the discussion David. Here's why I got pissed.

    Security, whether it's consumer security, enterprise security or military security is all about meeting the customer's expectations. To do that well you have to carefully set the right expectation and then you have to meet it. If you set one expectation and don't deliver that expectation, even if you have all the right features elsewhere in the product that could have met the expectation, many customers will think your product is insecure and many customers will configure it in a way that is not as secure as they think it is. Both are bad.

    To me, this is a clear case of Smugmug NOT meeting the customer's security expectations when they set a gallery password. Yes, the customer's expectations could be met if they also know to turn off external linking, but no other example in the world that a customer is likely familiar with requires them to know that or think about that. When they enable a password for a gallery, their expectation is that NOTHING in that gallery can be accessed in any way by the public without the appropriate password being entered. So, what happens in 99% of the cases is that the customer turns on the password and assumes they have full password security when, in reality, they don't. That is a security problem. The customer's security expectations have not been met. They are walking around with galleries that are not as secure as they think they are.

    What pissed me off was that Andy first made what I considered to be a snide remark: "have your cake and eat it too". Then he called my example a "flawed example" when I believe it is the most common case on Smugmug and is not meeting the security expectations of customers and did not meet my own security expectations.

    Then, he didn't actually read and understand my suggestion. He responded quickly to say that the majority of folks want external linking when it is highly unlikely that the majority of folks want external linking on passworded galleries (I think the opposite of his statement is true). Andy, for your benefit, I read your words - the emoticons don't mean anything to me and don't make it less likely I will take your words at face value.

    So, at that point, it appeared to me that Andy wasn't really interested in understanding why customer's security expectations were not being met. He had tried to get me to go away twice and I knew if I kept writing back, the discussion was unlikely to go anywhere productive. So I told him I was pissed and figured I would stop participating in an unproductive discussion.

    In my business, if a customer called in with security concerns (whether they were legitimate or not) and was treated this way by a person in our support organization, we would not tolerate it (they may even be terminated). All reports of security issues should be taken seriously and fully understood before responding. If you don't, then your company will get a reputation of not really being serious about security (which smugmug is flirting with because of these kinds of flip answers or disinterest in really understanding what the customer is concerned about). I'm not suggesting that anyone should be terminated here, but I am trying to point out that this stuff should be taken a lot more seriously than it appears to be or smugmug will continue to build it's reputation that it only sort-of cares about security and maybe only when it's convenient to implement.

    Now, onto this issue. When a customer sets a gallery password, their expectation is governed by their set of prior experiences and by what they see in the Smugmug UI. In this case, there's nothing out of the ordinary in the Smugmug UI. They set a password and aren't told anything else to guide their expectations. So, their expectation is entirely shaped by their other experiences with passwords.

    In NONE of those other customer experiences that I can think of do they also have to find some other option and change it in order to really protect everything with the password. They expect that the password will be required for any access to that gallery. The most obvious way to meet the user's expectations would be to refuse direct link image requests if they didn't come with the appropriate passworded cookie for that gallery, using the same logic Smugmug uses to determine whether to challenge someone with the password screen when they come knocking on the front door of the gallery. That is technically doable by a web server with custom coding. I don't know how hard it would be for Smugmug to do that, but it's doable.

    Let look at a common example that some users will already know about. If you set up a shared, but password protected directory of files in the Windows file system, NO access is permitted unless the password credentials are provided first. It doesn't matter if you already knew the path to a file or you can guess the path to a file. You won't get it until you enter the password. Then, once you've entered the password, you will be able to either browse the files or access them directly via the path (like direct linking) until your credentials expire. And, your credentials are checked on every access whether it comes via the front door (file browsing) or via the side door (direct access via a file path).

    Since I'm aware that some things are harder to implement than other things, I didn't even say I expected Smumug to deliver the most obvious solution to the problem as described above. Instead, I suggested an even easier solution which was to automatically turn external linking off for that gallery when it is configured for a password. This would also serve to meet most user's security expectations and is clearly not something that's hard to do.

    Here's my summary:
    • With security, the most important thing is to meet the customer's security expectation.
    • A password protected gallery currently sets an expectation that ALL access to the content of the gallery is protected by the password.
    • Because external linking is "on" by default, even in password protected galleries and most users won't realize or understand this, their security expectations are not being met.
    • This problem could be addressed in three ways:
      • Clearly change the customer's expectation in the UI
      • Enforce password access even on external linking (like most password protected systems)
      • Turn off external linking when a password is set (it's OK if the customer turns it back on afterwards because at that point, they'd be getting what they asked for)
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited May 9, 2006
    jfriend wrote:
    Andy, for your benefit, I read your words - the emoticons don't mean anything to me and don't make it less likely I will take your words at face value.

    I'm truly sorry about that, John. Not for me, for you. Internet communication is hard enough - emoticons help to soften it and make it more personal. You can take my meaning however you wish, I'll stand by my comments, and my intentions - which are pure, sincere, and honest.

    We love your well thought out input. And every one of your words is read carefully and considered.
    Thanks again for taking the time to further the discussion.
  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited May 9, 2006
    I think that enabling something blind to the user is a problem. EDIT: I mean disabling something blind to the user. Well, enabling OR disabling, changing anything blind to the user. You need to let them know, or better yet, ask permission.


    I do think that a message like this would be appropriate: "It appears you setting this gallery to be protected. Would you also like to disable external linking? As long as you have this feature enabled, you are leaving a back door open to getting your files."

    I'm sure it could be worded better than that, but that's the idea.
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited May 9, 2006
    jfriend wrote:
    This problem could be addressed in three ways:
    • Clearly change the customer's expectation in the UI
    • Enforce password access even on external linking (like most password protected systems)
    • Turn off external linking when a pasword is set (it's OK if the customer turns it back on afterwards because at that point, they'd be getting what they asked for)
    This gets my signature! I never really felt good about this problem either. Even I tend to forget about the external links and I consider myself a bit more than the average user. mwink.gif
    Turn it off by default if the user begins typing in a password and show a message on the site.
    When the user enables external linking in any password protected gallery notify him immeadiately that this is a possible security leak´by showing a short message on the side. So in case he forgot about that he password protected those images in the gallery he'll be reminded effectively.

    Sebastian
    Sebastian
    SmugMug Support Hero
  • KhaosKhaos Registered Users Posts: 2,435 Major grins
    edited May 9, 2006
    (edited)

    Never mind.

    I get myself in trouble when I speak.
  • BarbBarb Administrators Posts: 3,352 SmugMug Employee
    edited May 9, 2006
    DavidTO wrote:
    I do think that a message like this would be appropriate: "It appears you setting this gallery to be protected. Would you also like to disable external linking? As long as you have this feature enabled, you are leaving a back door open to getting your files."

    I think this is a great idea!
    Barb
    Smug since 2006
    SmugMug Help
    PhotoscapeDesign
  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited May 9, 2006
    Khaos wrote:
    I get myself in trouble when I speak.


    Hey, me too!
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited May 9, 2006
    Khaos wrote:
    (edited)

    Never mind.

    I get myself in trouble when I speak.
    Evidently I do, too :uhoh

    Yo John - bury the hatchet, man - I really don't know why you are so pissed - but I really really really swear that I don't mean any disrespect to you. And we listen. And every single post and word you write gets seen by our product manager and engineers.

    OK? ear.gif
  • dogwooddogwood Registered Users Posts: 2,572 Major grins
    edited May 9, 2006
    i like this idea too
    DavidTO wrote:
    I do think that a message like this would be appropriate: "It appears you setting this gallery to be protected. Would you also like to disable external linking? As long as you have this feature enabled, you are leaving a back door open to getting your files."

    But I must admit, the moment I give a password to someone (even a client), it seems like they share it with everyone they know. I mainly use the passwords to give the impression I'm not just willy-nilly posting images of people from portrait shoots or events or whatever, even though I always get releases or make sure my usage/posting is legal. But when I check my stats, it does seem like the clients themselves send those passwords to people (probably relatives/friends) around the country.

    This is not to say the original post isn't legit-- just wanted to describe my own experiences with the password protected galleries.

    Portland, Oregon Photographer Pete Springer
    website blog instagram facebook g+

  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited May 9, 2006
    jfriend wrote:
    I think this has been discussed before, but I don't know what the resolution was and I'd like to know if Smugmug considers this a bug worth fixing or not.

    First, password protect a gallery.

    Then, go to one of the images in the gallery. All URLs for gallery pages do require a password before access is granted. For example, this URL: http://jfriend.smugmug.com/gallery/1293128/1/60513030 requires password protection.

    But, a direct link to the same image does not require a password before the image is shown. This image: http://jfriend.smugmug.com/photos/60513030-L.jpg will display without any password prompt.

    This seems like a security design flaw to me. Shouldn't all access to an image require that the password be provided before access is granted? Is there a reason that smugmug doesn't want to offer this full protection?

    Here are some of the practical issues that arise out of this implementation:
    1) You can't cut off direct linking by adding a password to a gallery.
    2) You can't control access to images "after-the-fact" by adding a password to a gallery. Once the image URLs are known, they are accessible, even if you subsequently add a password.
    3) You can't prevent one person from giving out URLs to password protected images, even by changing the password. So, once a gallery is compromised, there's no way to re-secure it without deleting it and starting over.
    4) Because image URLs are quasi predictable (e.g. they aren't a sparse numeric space and they appear to be roughly sequentially increasing), it's easy to guess lots of image URLs, some of which will be in pwd protected galleries and not be challenged for a password before viewing them. You try this yourself. Pick an image URL from one of your own galleries. Then change one digit in the last part of the URL and the browser will usually display a different image (likely not yours). Some of these other images that you can find in this manner will be in private galleries and some will be in password protected galleries.

    I was trying to think of an analogy that describes this. It feels like you are locking the front door (with the password), but there's an unlocked side door that's fairly hidden. The only protection is that most people don't know about the hidden, unlocked side door. Since the key to the protection is the obscurity of the unlocked side door, folks in the security business often refer to this type of protection as obscurity rather than security. Sometimes obscurity can be appropriate, but in this case, it feels like there's some consequences which make me uncomfortable and, I think, would make others uncomfortable if they understood it too.


    We don't - it's designed this way.

    It was a tough decision (and actually, I think it was discussed here on dgrin maybe 3 years ago), but here's how it went down:

    - When first shipped, SmugMug wouldn't show Passworded photos AT ALL without a password.

    - We got a load of angry customer support email because their blogs and forum posts were showing up with broken images. It never occurred to us that people might want to externally link images but have them be passworded on the site. We were shocked, but open to adapting. (This is one of those times where customers showed us just how wrong our assumptions were. I hope we listen well each time).

    - The conclusion everyone (at the time) came to was that if External was set to ON, then the Password option would be ignored for viewing the individual photos. That way someone could secure their gallery and still post to their blog/forum/whatever.

    I don't think we can change the functionality since it would wipe out massive numbers of external links.

    What we could possibly do, though, is show a warning that with external linking on, someone could theoretically "guess" their Image # and get to their photo, or existing links will still work, etc.

    Does that sound viable?

    Don
  • Art ScottArt Scott Registered Users Posts: 8,959 Major grins
    edited May 9, 2006
    jfriend wrote:
    Here's my summary:
    • With security, the most important thing is to meet the customer's security expectation.
    • A password protected gallery currently sets an expectation that ALL access to the content of the gallery is protected by the password.
    • Because external linking is "on" by default, even in password protected galleries and most users won't realize or understand this, their security expectations are not being met.
    • This problem could be addressed in three ways:
      • Clearly change the customer's expectation in the UI
      • Enforce password access even on external linking (like most password protected systems)
      • Turn off external linking when a pasword is set (it's OK if the customer turns it back on afterwards because at that point, they'd be getting what they asked for)

    Just my .00005 cents worth here as i was reading this and I figure that between 90 & 97% of the people using SmugMug know a lot more about building and configuring a website than I do...hence one reason I have not done any actual site customizing yet.....
    Okay I want to password protect a gallery....as I am reading down the gallery customization page and I add a password and do I now just stop and say I am done. ne_nau.gif ...NO.. umph.gif .I move down and in logical (to me any way) procession I DISABLE PUBLIC and then move on there is :External links...Hmmmm do I want to link externally..well I am passworded...soooo... no external links....what about easy sharing.....well I am trying to be somewhat secure..sooo...NO easy sharing.....on down to Originals....if I am being secure and I do give anyone access to the file do I want them to have access to the "WHOLE" file eek7.gif , well no umph.gif ...so NO Originals thumb.gif .......what about larges...well for me some are and some are not offered.....but now most are not....now we come to PROTECTED....I am after some sembelance of security.....so HELL YEAH :D ....I wanted the gallery PROTECTED.......Then there is watermarking...and I vote no on watermarking due to the fact that my stuff is fineart and that watermark usually covers the important part of my subjects......:cry

    To my thinking I have just secured my gallery as best as can be......

    I do not see why the external links needs to set to a different default than it is aleady...cause to secure your gallery...you must read the complete list and I am guilty of NOT readingumph.gif the customizing section completely and asking why am I only getting white boxes with red ex's.ne_nau.gif .......to which Andy has always pointed out that my external links were OFFeek7.gif ......that is why a lot of times he asks "if you want your cake and to eat it also?":D rolleyes1.gif .....

    Emoticons are truly the only way to convey your feelings or attitude.....UNLESS OF COURSE YOU ARE ONE WHO WILL TYPE IN ALL CAPS TO MAKE SOMEONE KNOW YOUR UPSET or in my case just to lazy to turn the caps off :D ..........



    IMHO Smugmug is the easiest I have found to date to use and everyone answers my ?'s with sincerity and some added wit at times and it is that wit that makes me realize that my ?'s was actually an occurance of me not properly reading and doing the customizing in the proper order and all I needed to do was to slow down a bit and all would be fine.

    I do estimate that there are a lot more people who share their files without password protection than those that use passwords simply because of having to remember or keep track of a password for each and every gallery and then Shamus from the Jungle that keeps losing the password you send to him cause he deletes every email right after he reads it.

    So again IMHO, Smugmug has defauts set for the most average of users (like myself) and if you need more secureity, they give you the avenues to accomplish that just by following the map of customization of the galleries.


    now if you clik on my link to my smuggy site....there are only 2 galleries available to the public, the other 8 are all set to private and some of those are fully passworded and no externals...so on and so forth.

    Lastly if a gallery is passworded then it should also not be public at all.
    If it is passworded and is public, I think you are asking for trouble with the maleovent type hacker that will mess with your personal site then smugmug it self.....but again this is my worthless opinon......
    "Genuine Fractals was, is and will always be the best solution for enlarging digital photos." ....Vincent Versace ... ... COPYRIGHT YOUR WORK ONLINE ... ... My Website

  • GREAPERGREAPER Registered Users Posts: 3,113 Major grins
    edited May 9, 2006
    15524779-Ti.gif

    I dont have a problem with a warning comming up, but I agree that a person is presented with ALL of the options when setting up the gallery. The place they make it password protected is the SAME place they make it linkable.

    I want to be able to link to photos inside my password protected galleries so I make it that way on purpose. If the default was off, I would just have to turn it on so no big deal...

    The point is, when I set up the gallery I look at every option and set it the way I want in on purpose. I assume every one else does as well.
  • marlinspikemarlinspike Registered Users Posts: 2,095 Major grins
    edited May 9, 2006
    onethumb wrote:
    - The conclusion everyone (at the time) came to was that if External was set to ON, then the Password option would be ignored for viewing the individual photos. That way someone could secure their gallery and still post to their blog/forum/whatever.

    That's how I use the password feature...but I think here's what I would do: take a cue from Canon. I know at least Andy has used a 20D, I bet you guys use canon too, but when you set an image to custom white balance, you get a little pop up reminded to remember to set your white balance to custom. So maybe when someone puts in a password you get a reminder to set the external link radio dial to off if you don't want people to see direct links to images without a password.
  • Mike LaneMike Lane Registered Users Posts: 7,106 Major grins
    edited May 9, 2006
    Maybe Smugmug could set up a few gallery customization bulk settings that are automatically choices when you want to set up a gallery. Maybe 3 to 5 options ranging from completely open (originals allowed, no watermarks, easy sharing on, etc) to completely protected (watermarks on, originals hidden, larges hidden, private, external links not allowed, passworded, etc). Then once a user sets his gallery to one of those settings and if that setting requires a password, the user can be reminded or prompted to enter a password and a reminder for that gallery.

    I'm sure there would be plenty of feedback on what constitues the various levels of security in the bulk settings. Plus there could be a question mark that would lead people to a help file that explained the different levels and how a person could override them if they wanted.

    Just thinking out loud (sort of).
    Y'all don't want to hear me, you just want to dance.

    http://photos.mikelanestudios.com/
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited May 9, 2006
    A prompt is better than today, but not as easy to use as I think you want
    onethumb wrote:
    We don't - it's designed this way.

    It was a tough decision (and actually, I think it was discussed here on dgrin maybe 3 years ago), but here's how it went down:

    - When first shipped, SmugMug wouldn't show Passworded photos AT ALL without a password.

    - We got a load of angry customer support email because their blogs and forum posts were showing up with broken images. It never occurred to us that people might want to externally link images but have them be passworded on the site. We were shocked, but open to adapting. (This is one of those times where customers showed us just how wrong our assumptions were. I hope we listen well each time).

    - The conclusion everyone (at the time) came to was that if External was set to ON, then the Password option would be ignored for viewing the individual photos. That way someone could secure their gallery and still post to their blog/forum/whatever.

    I don't think we can change the functionality since it would wipe out massive numbers of external links.

    What we could possibly do, though, is show a warning that with external linking on, someone could theoretically "guess" their Image # and get to their photo, or existing links will still work, etc.

    Does that sound viable?

    Don
    Thanks for your response, Don.

    I think your decisions three years ago make it a lot harder to have the simplest to understand and consistent security model - that's unfortunate. IMO, it's a bummer that password protected galleries were used for blog postings with direct links. You have a perfect mechanism for that already. It's called private galleries. They aren't browsable or discoverable, but work perfectly for blog postings. I use them all the time for postings in online forums. If password protected galleries always required the password to be supplied before access and a different mechanism was used for blog postings, it would be hard for users to ever be confused about how password protection works or confused such that they accidentally don't configure it to match their security expectations (which is what happened to me, a very techyy user).

    If you add a warning as you describe when a password is added to a gallery, you will be "off the hook" in that you told the user, but I don't think your service will be as easy to use as it could be. It should be possible to just go to the place in the UI where you set up a password, provide what it asks for and then have password security that matches your expectations. As you describe it, you will need to understand the warning, understand what external linking is, find it in the UI and turn it off - all just to get simple and secure password protection.

    So, we're no longer talking about me here. I fully understand what's going on and I can disable external linking if I want to. We're talking about my graphics-designer sister or my investor brother-in-law or my lawyer cousin (who are all Smugmug customers). They are not going to know what external linking is and will likely not get complete password security if you just add a warning that tries to explain this issue. I think it should be easier for them. Since I know you generally strive to be the easiest photo service on the web and with your committment to support it actually costs you money when things aren't easy, I think this would matter to you.

    I also have an implementation question about the controls that enforce no external linking. How does that work? Does it use the referrer? Is it spoofable so even this control isn't really full security? Can I design a web script that will request an image and bypass the external linking setting by setting something in the http request to pretend I'm coming from a Smugmug page? Or is it more sophisticated than that? Is it spoofable?
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • Matthew SavilleMatthew Saville Registered Users, Retired Mod Posts: 3,352 Major grins
    edited May 10, 2006
    John, and all,

    I think the easiest solution is to save a private gallery template.

    I used to create a gallery and then rush into the customization page to make it private or PW-protected etc... Now after saving one of my private galleries as a private gallery template, I can create a gallery that is automatically invisible from my main site and/or password protected, with external links disabled, or printind disabled, and/or originals disabled, and so on and so forth. I just title the gallery and boom, ready to upload, fully secure.


    Of course, this still isn't the best solution for the others you just mentioned, for whom things should be even easier. I agree with you that Smugmug ought to figure something better out. Maybe bloggers should know better than to try and hotlink from a PW-protected gallery?

    It really is hard for Smugmug to balance ease-of-use with safety and with the preference of the masses. I have some of my own annoyances that I know simply cannot ever change because Smugmug has to make the majority happy and let the minority jump through a couple extra hoops or learn a few extra settings. Drat!

    -Matt-
    My first thought is always of light.” – Galen Rowell
    My SmugMug PortfolioMy Astro-Landscape Photo BlogDgrin Weddings Forum
  • DnaDna Registered Users Posts: 435 Major grins
    edited May 10, 2006
    GREAPER wrote:
    The point is, when I set up the gallery I look at every option and set it the way I want in on purpose. I assume every one else does as well.
    Second the motion. When I create a new gallery, the first thing I do is to customise it (oh, and by the way customise is spelt wrong ... mwink.gif).

    Possibly one solution is to take the user into the customise gallery section after they have created a new gallery, or have a note suggesting they do.
    Templates offering different levels of protection would also do the same thing. eg, private, password protected, open, etc.

    Dna
  • armaniarmani Registered Users Posts: 119 Major grins
    edited May 10, 2006
    another issue ???
    WOW!

    I don't know if this is the problem discussed here, or that it has been disscused somewhere else, but this IS a problem i think:

    I'll try to explain as good as i can.
    Let's start from the link jfriend posted.
    http://jfriend.smugmug.com/photos/60513030-L.jpg
    Click the link so you see the picture in your browser.
    Then go to the URL and change the number. Let's say we change 60513030 into 60513031. Then press enter.
    What happens: You get to see a new picture but not one from jfriend's website but from some other SM website. Also the URL automatically changend in: http://kanwar.smugmug.com/photos/60513031-L.jpg

    What is worse: i have played with the numbers and have seen pictures in pasword protected galleries. I have also seen pictures in password protected SM websites.

    I am not gonna post the links here but play wit some numbers and you will end up seeing pictures of private protected galleries or websites.

    Do we need to worry?
    Feel free to use my referral code RexaramzeghMy and save 5$ on your smugmug subscription. You can also use this link: http://www.smugmug.com/?referrer=RexaramzeghMy

    My SmugMug: desmurfjes.smugmug.com
    My website: http://www.DigiDiDi.com/

  • CameronCameron Registered Users Posts: 745 Major grins
    edited May 10, 2006
    armani wrote:
    Do we need to worry?
    :nah

    If you have your gallery password protected AND linking turned off, then NO, you don't need to worry - your stuff is secure. Guessing the URL to the image like that will only give you results if linking is turned on.

    I love that smugmug provides SO many options to choose from in gallery customization. The problem we're talking about here essentially results from not completely understanding the effect of several of the customization options. The options are there for adequate security. As has been mentioned, perhaps there should be more hand-holding (warnings, etc) so people who intend for a gallery to be completely private will indeed mark the appropriate options on the customization page.
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited May 10, 2006
    armani wrote:
    Do we need to worry?

    No, this is only possible when the "external links" option is selected on a password-protected gallery.

    Read this thread properly, this fact has been stated on numerous times by different people including SM staff.

    David
    David Parry
    SmugMug API Developer
    My Photos
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited May 10, 2006
    Armani accidentally illustrates the point I'm making
    devbobo wrote:
    No, this is only possible when the "external links" option is selected on a password-protected gallery.

    Read this thread properly, this fact has been stated on numerous times by different people including SM staff.

    David

    I think Armani is indirectly illustrating the point here. He doesn't understand all the various security options (like most people) and now is panicked that his site is not secure.

    Yes, Smugmug has enough options to secure your password protected site (if turning off external linking is really foolproof), but the way the UI works, most users don't understand what to do to fully protect their site and thus most users that set up password protected galleries have a site that is not protected as well as they want it to be or think it is. In the business of security that's as important a fault as missing an important security feature. And, that's exactly what is happening here.

    My graphics-designer sister, my lawyer cousin and my investor brother-in-law (all of whom are Smugmug customers) will not get this right and will all end up with less security than they wanted or thought they had.

    You can blame it on the users for not fully understanding external linking and not understanding why they should turn it off in order to have full security. But, blaming them won't actually make anything better. They understand what they understand and that's not going to change much. But, there's a much, much better solution. Improve the ease of use of Smugmug so that these kinds of users get what they want without having to understand all that. With a little work, it can even be done in a way that doesn't break the power users who understand all this and might want a different group of settings.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited May 10, 2006
    jfriend wrote:
    My graphics-designer sister, my lawyer cousin and my investor brother-in-law

    Sorry John, I fail to understand the significance of the job titles. ne_nau.gif

    Are you trying to say that these people are smart cuz of what they do ?
    David Parry
    SmugMug API Developer
    My Photos
  • Mike LaneMike Lane Registered Users Posts: 7,106 Major grins
    edited May 10, 2006
    Just thinking out loud here. It appears that jfriend was trying to say that people who aren't very experienced with web development (or coding or webdesign or however you want to put it) wouldn't necessarily understand the issue right off the bat.

    But I could be wrong.
    Y'all don't want to hear me, you just want to dance.

    http://photos.mikelanestudios.com/
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited May 10, 2006
    Hi John,

    I really love that you push us on these issues and bring them to the surface with so much clarity.

    I have to say, however, that I've got a lot of scars on my back from our first year when setting a password also turned off external links. We had a lot of cancellations, help emails and forum flames over that. People would try SmugMug and then get publicly embarrassed when they linked to forums and red X's would appear.

    Either way you configure it, you have to notify them somehow and explain the issue, and we weren't successful doing that 100% of the time when we turned off the links automatically for them. It's just so common for them to link externally and they forget even if told so it becomes a very big frustration.

    I think we'd be more successful at warning them of the potential security issues but in so doing you're also creating a security issue, especially for people who have private galleries, because you're notifying a whole group of people who wouldn't have thought about a way to get into private galleries, no?

    I know this is an extreme example, but for the sake of illustration, we could also warn them that people can use keystroke loggers to intercept passwords, or any number of other known hacking techniques that they wouldn't otherwise be aware of, no? And in so doing we could teach them how to hack into lots of things.
Sign In or Register to comment.