How to protect your Images folder?

[LarryM]

Hi,

NB, not to stop capturing the single displayed Image, but to stop downloading
the entire image directory.
(In my Website you will do a search, and get some thumbnails, and these can be
enlarged one by one).

This topic seems to be frequent.
Some says that you under no circumstances can protect your images, others seem
to have preventing solutions.
Some says that everything uploaded to your web server can be taken down, others
manage to hide files.

As far as I understand so far I have an idea that the following might work.
Please guide me!

My Web provider has given me a space which has a Root folder, and below it is
the WebSiteRoot, which contains my website. The Root folder should not be
available for Web users. There I for instance put my Access DB (accessed through
ODBC). I have FTP access to this space.

So, I would like to put my Image folder in the Root folder, and have my Provider
make it a Virtual Directory in IIS, with an Alias name, and with No Browse
permissons (I hope that does not stop me from seeing it in my FTP program...),
but Write permisson (for me to upload to it), Read permisson (for the Web to get
the images), and with Anonymous Access set off.

Then I can refer to this Virtual Directory from inside my Website, using the
Alias name.
And in IMG SRC you may see the (alias) URL to this Virtual Directory, but an
outside user should not be able to access it.

Could this stop a user from downloading any images from my Image-folder?
Even if they are using some sort of ripoff utility?

(Or should I have to take a step further and ADO stream the image to the
htm-page through an ASP page in order to hide the URL completely?)

(And also, IF the ASP pages are invisible to the browser - could I hide my
images by renaming my .jpg-files to .asp-files? - I mean, the browser gladly
displays the image even if it is called .asp).

Thanks
Larry

 

[Evertjan.]

LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:

NB, not to stop capturing the single displayed Image, but to stop
downloading the entire image directory.

you can fool some people all the time
you can fool all people some time
but ....

Anything that is downloadable into the browser can be copied.

So keeping ALL directories on your asp site non browsable is imperative but
finally security wise useless. Only image files you do not download and
give a unguessable name are relatively safe. However, what is the use
having those on site anyway?

 

[LarryM]

LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:


Anything that is downloadable into the browser can be copied.

I don't contradict that..

Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable directly
from the directory?

Larry

 

[Evertjan.]

LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:

I don't contradict that..

Maybe I was unclear.
The question is if an imagefile displayed in this way is downloadable
directly from the directory?

Yes, if you know it's name.

You could hinder that by using an .asp intermediate file that looks at the
referrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.

 

[LarryM]

LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:


Yes, if you know it's name.

Is then also ANY virtual directory (outside the default website) or ANY
directory on the Server Computer open for any user as long as you know or can
guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a server, and then
you can download it??

You could hinder that by using an .asp intermediate file that looks at the
referrer name, but once displayed in a browser, it has a copy in the
clients tempfiles.

I say it again: This is not about stopping the image once it has been displayed
in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!

So you mean that I have no other option then to go the step which I also
mentioned: ADO stream the imagefile through an asp-file?

/Larry

 

[Evertjan.]

LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:

Is then also ANY virtual directory (outside the default website) or
ANY directory on the Server Computer open for any user as long as you
know or can guess it's name (and put in an URL)?
Is it just a matter of guessing any directory and filename on a
server, and then you can download it??


I say it again: This is not about stopping the image once it has been
displayed in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!

So you mean that I have no other option then to go the step which I
also mentioned: ADO stream the imagefile through an asp-file?

Well, in my rented virtual machine, the cgi-bin is not accessable for
nonexecutables from outer space. so a directory /cgi-bin/images/ is only
accessable though ADO or scripting-host. The same is true for any normal
webside directory, where you can keep the name of secret, as long as you
have http-directory browsing off.

So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
not point to it in any clientside script, but use myimg.asp to fetch it.

In myimg.asp I would put something like this:

<%
If request.servervariables("http_referrer")
<>"http://mysite.org/index.asp" Then response.end

Set fs = server.CreateObject ("Scripting.Filesystemobject")
Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
etc.
%>

 

[LarryM]

LarryM wrote on 04 aug 2003 in microsoft.public.inetserver.asp.general:

Well, in my rented virtual machine, the cgi-bin is not accessable for
nonexecutables from outer space. so a directory /cgi-bin/images/ is only
accessable though ADO or scripting-host. The same is true for any normal
webside directory, where you can keep the name of secret, as long as you
have http-directory browsing off.

So /images/secretpathqwerty6284675/myimg.jpg is secret as long as you do
not point to it in any clientside script, but use myimg.asp to fetch it.

In myimg.asp I would put something like this:

<%
If request.servervariables("http_referrer")
<>"http://mysite.org/index.asp" Then response.end

Set fs = server.CreateObject ("Scripting.Filesystemobject")
Set pt = Server.MapPath("/images/secretpathqwerty6284675/")
etc.
%>

Thanks Evertjan!
Have I got this right:
If somebody CAN guess that you have a directory
"/images/secretpathqwerty6284675/", is it then open for access
for this person, no matter where the directory is situated?
(I am thinking of outside or inside 'the default webside').
Is it just a matter of knowing the name of the directory to get access to it?

I am glad that you can bear with my questions, it seems to take a long time for
me to understand the systems..
/Larry

 

[Mark Schupp]

Larry,

The only way that images can be downloaded (bulk or otherwise) is if the
downloader knows the URL to each image. Since you have disabled "browse" in
IIS for that directory there is no way for a download program to reliably
determine the URLs unless you have links to them embedded in a page that the
program could parse to get the paths.

--
Mark Schupp
--
Head of Development
Integrity eLearning
Online Learning Solutions Provider
(e-mail address removed)
http://www.ielearning.com
714.637.9480 x17

 

[Bullschmidt]

Serving Dynamic Images from Static Web Pages - 5/24/2000
http://www.4guysfromrolla.com/webtech/052400-1.shtml

Best regards,
J. Paul Schmidt, Freelance ASP Web Developer
http://www.Bullschmidt.com
ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...

 

[Mikhail Tchikalov]

If image is shown in the browser then client already has a copy of it.
Therefore, it can save it to a disk file. Disabling directory browsing
prevents client from easy building the list of images, but such list can be
built by bulk download utilities. For example, wGrabber.

Best regards,
Mikhail.

 

[Evertjan.]

LarryM wrote on 05 aug 2003 in microsoft.public.inetserver.asp.general:

Thanks Evertjan!
Have I got this right:
If somebody CAN guess that you have a directory
"/images/secretpathqwerty6284675/", is it then open for access
for this person, no matter where the directory is situated?
(I am thinking of outside or inside 'the default webside').
Is it just a matter of knowing the name of the directory to get access
to it?

I do not know what exactly you mean by "default website"

Usually all files in your web root "http://mysite.org/" or
"http://big.org/members/mysite/" or "/" and the lower directories like
"http://mysite.org/myimages/" are accessable exept usually
"http://mysite.org/cgi-bin/"

The higher up directories "../" and "c://windows/" should not be.
[Is this what you mean by outside"?].

If you own the server, you can probably change all this [to your peril!].

 

[LarryM]

LarryM wrote on 05 aug 2003 in microsoft.public.inetserver.asp.general:

Thanks Evertjan!
Have I got this right:
If somebody CAN guess that you have a directory
"/images/secretpathqwerty6284675/", is it then open for access
for this person, no matter where the directory is situated?
(I am thinking of outside or inside 'the default webside').
Is it just a matter of knowing the name of the directory to get access
to it?

I do not know what exactly you mean by "default website"

Usually all files in your web root "http://mysite.org/" or
"http://big.org/members/mysite/" or "/" and the lower directories like
"http://mysite.org/myimages/" are accessable exept usually
"http://mysite.org/cgi-bin/"

The higher up directories "../" and "c://windows/" should not be.
[Is this what you mean by outside"?].

Hi Evertjan,

Sorry that i have such difficulty to be clear about this.
I mean 'default website' = Websiteroot and below (typically http://mysite.org/
and below).

If I look for a good place for my images I am looking for some directory outside
the 'default Website'.
It seems that the only way to reach such a directory from the Web application is
to make it a Virtual Directory, giving it an URL, and referring to it from a
htlm-page.
It might be as simple as that the Virtual Directory now is acting exactly as if
it was in the default Website. And then there is no gain in using a Virtual
Directory from a security point of view.
My hope was that a Virtual Directory was a little bit harder to reach then a
directory in the default Website, but I begin to doubt that.

So my options at the moment seem to be:
a)
have a nonbrowsable directory with very-hard-to-guess filenames (UGIUD type,
'5350298573.jpg'). The single picture displayed in the browser can always be
captured, but it will be hard to make any bulk downloading.
Except that I don't know the capabilities of these file grabbing utilities.
I wonder if renaming the .jpg-files to .asp-files wold make them less visible?
b)
displaying the image through an .ASP-page that ADO streams the image content to
the html-page, not showing where the source is.
Performance loss, but maybe the safest solution so far.
And the idea must then be that the images are placed in a physical directory
visible from the DB but not from the Web or any web user.

It still bothers me that it seems that any directory in your default Website is
open for access, just you know or guess the directory+filename.
So it goes in the direction of having a very complex filestructure, and of
course non-browsable directories. And some performance loss.

Anyway I wonder if you ever can stop the Grabber utilities..?

/Larry

 

[Jeff Cochran]

Is then also ANY virtual directory (outside the default website) or ANY

directory on the Server Computer open for any user as long as you know or can
guess it's name (and put in an URL)?

Coming in late, but no, if the image is outside the HTTP web
structure, and you have NTFS permissions set correctly, it can't be
accessed from the web directly.

Is it just a matter of guessing any directory and filename on a server, and then
you can download it??


I say it again: This is not about stopping the image once it has been displayed
in the browser, not much you can do about that!
It is about stoppping bulk download of the entire image directory!

So you mean that I have no other option then to go the step which I also
mentioned: ADO stream the imagefile through an asp-file?

That may be best. Try a Google for "Anti Leeching" or similar for a
lot of solutions.

Jeff

 

[Tom B]

I'm jumping in a little late, but try to think of it this way..
A user requests a page, they get the page.
On the page are links to images <img src="thefolder\thefile.jpg">
The browser then requests those files.

So, if your images are named in a manner that is easy to figure out (such as
numerically 1.jpg, 2.jpg etc, or alphabetically a.jpg, b.jpg) then it's hard
to prevent someone from writing a script to grab all of them.

To prevent a bulk download script, you can give them hard to guess names
such as "ThePictureOfBobWearingAFunnyHat.jpg" or you can use the ADO stream
method you mentioned.

The Toronto Sunshine Girl page www.canoe.ca/TorontoSunshine only shows the
Sunshine Girl of the day, however; they store each picture as ssg.jpg in a
subdirectory of the days date (eg .Aug8/ssg.jpg ) so it didn't take long to
write a script that produces....
<img src="Aug8/ssg.jpg">
<img src="Aug7/ssg.jpg">
If they had named them individually, such as JaneDoe.jpg, it would have been
"impossible" to script that.

 

[LarryM]

thanks, all ..
/Larry

 

[Scott Scott]

Why not protect the image folder by referrer, only allowing access from
approved pages within your website ?

That will solve some of your headaches.

Are these images only available to members (password protected) ?

You can either hand code this, or use AuthentiX.
http://www.flicks.com