Defensive Distribution

SecureASP.NET

LANGUAGES: ALL

ASP.NET VERSIONS: ALL

Defensive Distribution

Protecting Your Content

By Don Kiely

You ve finally done it. The brand new Web site, unlike anythe world has ever seen, is up and running on your production machine, and you reabout to set the DNS switch that will let amazed and dazzled users see yourcreation. The accolades are likely to propel you into the list of geniuses ofindustry who will be studied and revered by generations of technocrats.

But there s just one little problem.How do you protect the content into which you ve put your creative genius? Youwant users to see the images, the Flash movies, and all the other doodads thatwill dazzle them. But you don t want your brilliance copied, e-mailed out ofcontext of your Web site, or viewed without all the wise text that givesmeaning to all the content, pulling it together into a complete revelation thatwill have users coming back to your site for decades. There has to be a way toprevent those pesky users from using your content outside of your site, right?Something built into ASP.NET or IIS that protects your content? Surely computersecurity has evolved to the point of being able to protect such valuablecontent?

The easy answer is that, no, there is no ironclad way toprotect your content. Once your image, for example, is displayed in the user sbrowser, it is located on the client machine and is out of your control. Avideo that runs in a browser is delivered over the Internet to the client andis susceptible to capture in various ways.

People have come up with little tricks to make it harderto use content outside of your site, but all they really do is slow downsomeone who might be determined to use your content. One example is to chop animage up into hundreds of image shards that your page delivers to the browserone by one, which the browser reassembles into a single image. This doesn tfully protect your image, but at least it makes it far harder than downloadinga single file for easy, immediate reuse. One such tool is Graphic WorkshopProfessional from Alchemy Mindworks (http://www.mindworkshop.com/).Other tools like Secure Image Pro from ArtistScope (http://www.artistscope.com) provide aform of digital rights management for images. But a screen capture utilitymakes it easy to capture the complete image, and more complex solutions requireJavascript, which users can easily turn off. Other tricks include embedding protectedimages in a Flash video and other ways of blending different formats together.

The page at http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=41has several techniques for protecting images you put on the Web. The pageexplains that you can make it harder to steal content in order to slow someonedown, but you can t prevent anyone determined enough from getting the content.The techniques explained there include disabling the image toolbar (but onlyfor IE), disabling right-clicks to save the image (this requires Javascript towork), fooling the user into thinking s/he is saving your image when in factwhat is saved is only a transparent image that overlays your real image, andencrypting your page.

The bottom line is that if it s viewable in a browser,there is almost certainly a hack the user can employ to capture the content insome way. You ve lost control. Sure, you can add banners, signatures, andperhaps some kind of watermark to damage the visual, but that is going toaffect the user s enjoyment of the image on your site.

So, as much as I d like to present you with a foolprooftechnology method for protecting your content, if you put it on the Web, anyonecan grab it and make use of it. There are really only four things, three ofthem reasonable, that you can do as of today to help protect your content:

The Web is meant for sharing, so be sure that what you putout there is what you want to share with everyone.

DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.