Secure ASP.NET
LANGUAGES: ALL
ASP.NET VERSIONS: ALL
Defensive Distribution
Protecting Your Content
By Don Kiely
You ve finally done it. The brand new Web site, unlike any the world has ever seen, is up and running on your production machine, and you re about to set the DNS switch that will let amazed and dazzled users see your creation. The accolades are likely to propel you into the list of geniuses of industry who will be studied and revered by generations of technocrats.
But there s just one little problem. How do you protect the content into which you ve put your creative genius? You want users to see the images, the Flash movies, and all the other doodads that will dazzle them. But you don t want your brilliance copied, e-mailed out of context of your Web site, or viewed without all the wise text that gives meaning to all the content, pulling it together into a complete revelation that will have users coming back to your site for decades. There has to be a way to prevent those pesky users from using your content outside of your site, right? Something built into ASP.NET or IIS that protects your content? Surely computer security has evolved to the point of being able to protect such valuable content?
The easy answer is that, no, there is no ironclad way to protect your content. Once your image, for example, is displayed in the user s browser, it is located on the client machine and is out of your control. A video that runs in a browser is delivered over the Internet to the client and is susceptible to capture in various ways.
People have come up with little tricks to make it harder to use content outside of your site, but all they really do is slow down someone who might be determined to use your content. One example is to chop an image up into hundreds of image shards that your page delivers to the browser one by one, which the browser reassembles into a single image. This doesn t fully protect your image, but at least it makes it far harder than downloading a single file for easy, immediate reuse. One such tool is Graphic Workshop Professional from Alchemy Mindworks (http://www.mindworkshop.com/). Other tools like Secure Image Pro from ArtistScope (http://www.artistscope.com) provide a form of digital rights management for images. But a screen capture utility makes it easy to capture the complete image, and more complex solutions require Javascript, which users can easily turn off. Other tricks include embedding protected images in a Flash video and other ways of blending different formats together.
The page at http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=41 has several techniques for protecting images you put on the Web. The page explains that you can make it harder to steal content in order to slow someone down, but you can t prevent anyone determined enough from getting the content. The techniques explained there include disabling the image toolbar (but only for IE), disabling right-clicks to save the image (this requires Javascript to work), fooling the user into thinking s/he is saving your image when in fact what is saved is only a transparent image that overlays your real image, and encrypting your page.
The bottom line is that if it s viewable in a browser, there is almost certainly a hack the user can employ to capture the content in some way. You ve lost control. Sure, you can add banners, signatures, and perhaps some kind of watermark to damage the visual, but that is going to affect the user s enjoyment of the image on your site.
So, as much as I d like to present you with a foolproof technology method for protecting your content, if you put it on the Web, anyone can grab it and make use of it. There are really only four things, three of them reasonable, that you can do as of today to help protect your content:
- Copyright your content. This doesn t prevent someone from taking and using your content, but at least you can have the satisfaction of spending years in court and forcing a judgment that you ll likely never collect on.
- Embed a digital signature into your content. This way, you can at least prove that it is your content when you start seeing it on 50 thousand sites across the Web.
- Put content you want to protect in a members-only section of the Web site and protect it using all the full force of ASP.NET and IIS. And then be sure that you trust the users you let into that part of the site to protect your content as aggressively as you do.
- Don t use the content on a Web site. If users can t view it in a browser, they can t steal it. More precisely, it will be harder to steal because they ll have to find it first. Security by obscurity is rarely very secure, but it can slow down hackers.
The Web is meant for sharing, so be sure that what you put out there is what you want to share with everyone.
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
