Protecting Things from prying eyes....

Michael Crawford michael.crawford at stonebow.otago.ac.nz
Sun Apr 7 00:22:01 EST 2002


Hello everyone,



I am developing an application in trusty 'ol Metcard that does the
following things.


1) Downloads an "index" from a web server, this is just a plain text file
and is basically a file listing with some other bits of information about
the images

2) Uses that index to downlaod a series of pictures which are then
displayed in Metacard along with any other addition info in a text box.

So far so good. MC does everything it is told to do just wonderfully.

My problem is how do I protect those images? I want it so only Metacard can
view the pictures. By this I mean if I can show an image by putting URL
"http://someserver.com/ViewerApp/Images/image1.jpg" into an image object in
Metacard I can also view the image using a web browser.

No worries. I can encode the image using "base64encode" and compress the
image and even give it a funny extension type. That works really well. No
complaints from Metacard about that either.

Still it is not very secure. Someone could easily figure out what is going
on here and still download the images...

Alright then how about if I password protect the site using the std sort of
protection. (That is the basic sort like at
http://emserver.otago.ac.nz/gordon/.) and get Metacard to connect using the
authorization method :
"http://username:password@someserver.com/ViewerApp/Images/image1.jpg"

Thus if you try to connect using a web browser to the server you require a
password.

My problem is that the password is relatively easy to obtain using
Interarchy of OTsessionwatcher or any of those TCP/IP watching
applications. If you have the password you can get the images etc again...


Does any one have any suggestions about what I could do here? My two lines
of thought are:

1) I could either encrypt the images using some other method than base64 I
am open to suggestions about how I could do this.

2) I could build a better password protected site with cgi's or ASP or some
such thing though then I have issues with server hosting etc.

3) I am just being to paranoid about the whole thing. If anyone get's
through all of the road blocks I have created perhaps I should just give
them a chocolate fish  and a certificate and not worry about it...


Thanks in advance  for any suggestions.


Michael











More information about the metacard mailing list