I am implementing a referral program and giving people and ebook as a reward. Is there a way without using a database to make it so that the ebook is only available for 24 days to the user? I don't want users to share the ebook PDF. What can I put in place to prevent this? I'm guessing I should also update robots.txt?
I'm using node js and JavaScript
Save file as usernameOfUser_deadlineTimestamp.pdf. Now when a user requests a file, simply fetch filenames from the folder and look for file starting with name usernameOfUser. Now, get the current timestamp and compare it with the deadlineTimestamp you get from the filename. If current timestamp is less that deadlineTimestamp, serve the file else show error message. Use fs to determine filenames etc.
The proper solution is to implement some kind of authentication to know who (which user) is requesting the ebook and then some kind of authorization to decide if you will serve him the ebook or not (not if the 24 day period is expired).
These information must be available on your server in any form, and regardless of the form it is a database already.
Now the robots.txt is useless in this situation as no crawler can authenticate as a valid user, so no one can have access to the resource.
The database-less solution is to generate a pretty long link for every user and encrypt the all the needed pieces of information in that link.
So would a link like http://example.com/gvdcwt5f23ydvuztb2ftyuzfydy826ngnuy2u2gfzgnyg2y6gn2gyf6g2f2uynfu contain the user name (or any other identification) and the expiration date. So every time this link is requested the server decrypts it and serves the requested ebook.
robots.txt is still useless as you won't have the ebook available as http://example.com/ebook.pdf and there will be no mention of those long links, no robot will bother to scan your server by guessing working links.
Regarding the handling of the pdf when the user downloaded it, you have no more control over it. You can place copyright notice in the pdf itself to prevent sharing by gentle users, but there is no way of protecting the contents of the pdf file. You can encrypt it, but once user can share it with credentials, you can generate pdf for all users with invisible information stored in it have the ability to identify who shared it if you find a shared copy, but any of these and certainly many others is probably not worth the time spent by implementation of such a "protection".
Related
I couldn't come up with a better name for the question so I apologize for that.
In my application you can make an account, create files and send the link of a file you created in a "view-version" to whoever you want.
The routes to create, delete, read,... files are protected, however, the "view-version" is not.
The way I handle it right now is the following:
The link to the view-version consists of the id of the file and a token the user receives upon log in.
When whoever receives the link opens the page, the token and id (that's the id of the entry created in MongoDB) are authenticated and if they are valid the user sees the page.
Obviously, the token times out after some time and I'm assuming that, once the token times out, the viewer will no longer be able to view the page (I didn't actually test this but it just makes sense I guess).
I'm new to creating websites that require user authentication for certain sites so I'm rather clueless about how to solve this.
If I let the viewer access the file just using the id, that'd be insecure since he could view ALL files by trying different id's (a viewer is not supposed to be able to view all files).
So, I guess what I'm trying to do is to publish the view-version of a certain file to a selected audience.
I was thinking about creating a permanent token that I could use instead of the token created when logging in/out so the viewer would always be able to view the files but I'm not sure how big of a security risk that is.
I tried googling how to best go about that, however, my search was unsuccessful.
How is such a concept usually implemented?
I was asked an odd question this morning--We have customers who have a number of PDF reports hosted on our services which are accessed through https (not a direct file link, but accessed by a rest url).
Customers often print these reports on a daily basis.
The request is that these reports automatically print (could be default printer) each morning.
My initial reaction is to laugh, because obviously this is impossible without some user action. But the more I think about this, the more I am inclined to believe there may be ways. For example, if there is some generic "print" user with limited access, and if the browser is left open, and some Javascript on the login screen checks the time of day, it might be possible to retrieve files at a specified time and print. I don't believe I can automatically print--but at least I can open a print dialog.
I know the request to automatically send things to a far away printer from our web services is impossible. Wondering if I can provide the next best thing, and if anyone has a good idea to share here.
This may be a bit of a tricky one (for me at least, but you guys may be smarter). I need to capture the timestamp of exactly when a reader clicks a link in an email. However, this link is not a hyperlink to another webpage. It is a link formatted as a GET request with querystrings that will automatically submit a form.
Here is the tricky part....The form processing is not handled by PHP or .NET or any other server side language. It is a form engine that is hosted and managed by a cloud based marketing platform that captures and displays the form submission data (So i have no access to the code behind the scenes).
Now, if this wasn't an email I'd say it is simple enough to just use Javascript. However, javascript doesn't work so well with email, if at all (I'm just assuming there are some email clients out there that support javascript).
How would you go about capturing the timestamp for when the link is clicked without using any type of scripting? Is this even possible?
The best solution i could come up with was to have the link point to an intermediate page with javascript to capture timestamp and then redirect to the form submission. Only problem with that is that it will only capture timestamp of page load and not of the actual click activity.
There is no way to do what you want "without any type of scripting". If no scripting is done, no functionality may be added or changed.
The best option is the very one you suggested: use an intermediary page that records the request time. Barring unusual circumstances (such as a downed server), the time between a link being clicked and the request reaching the server will be less than 1 second.
Do you really need a higher resolution or accuracy than ~1s? What additional gain is there from having results on the order of milliseconds or microseconds? I can't imagine a scenario in which you'd have tangible benefits from such a thing, though if you do have one I'd love to hear it.
My initial thought was to say that what you're trying to do can't be done without some scripting capability, but I suppose it truly depends on what you're trying to accomplish overall.
While there is ambiguity in what you're trying to accomplish from what you have written, I'm going to make an assumption: you're trying to record interaction with a particular email.
Depending on the desired resolution, this is very possible--in fact--something that most businesses have been doing for years.
To begin my explanation of the technique, consider this common functionality in most mail clients (web-based or otherwise):
Click here to display images below
The reason for this existing is that the images that are loaded into the message that you're reading often come from a remote server not hosted by the mail client. In the process of requesting that image, a great deal of information about yourself is given to that outside server via HTTP headers in your request including, among other things, a timestamp for the request. Thus the above button is used to prevent that from happening without your consent.
That said, its also important to note how other mail client providers, most notably gmail, are approaching this now. The aforementioned technique is so common (used by advertisers and by other, more nefarious parties for the purpose of phishing, malware, etc) that Google has decided to start caching all mail images themselves. The result is that the email looks exactly the same, but all requests for images are instead directed at Google's cached versions.
Long story short, you can get a timestamp to note interaction with an email via image request, but such metric collection in general, regardless if its done in the manner I've outlined, is something mail clients try to prevent, at least at some level.
EDIT - To relate this back to what you mention in your question and your idea of having some intermediary page, you could skip having that page and instead you would point an image request towards a server you control
I'd like to present an idea to you that I think might help the privacy of the average user. I would appreciate any comment or suggestion on this.
I've been struggling for quite some time now with the need for a simple tool that I could share and use with my contacts who are only average users and not familiar at all with any cryptographic technology or the current tools available.
I'm planning to create a solution where one can easily encrypt a text message or a file with a single password and send it in email or chat or through whatever channel to somebody else. The solution should be entirely platform independent and usable without the need to install any extra softwares.
There are some text encryption websites out there that run client side encryption from JavaScript entirely. I find this approach currently the only possible solution. Also, there are libs for JS that already implement encryption:
http://crypto.stanford.edu/sjcl/
http://code.google.com/p/crypto-js/
Though the mentioned approaches store the message on their server, requiring you and your contact to trust it entirely. Because the server might present a different JS code to the user when visiting it after he gets the message by steeling the password and so revealing the secret.
While many think that it's not a good idea to do anything regarding cryptographic tasks in JS, I believe there is a need for a tool that is really platform independent (can be used on any tablet or PC) and still incredibly easy to use. The idea behind this is that I believe something is better than nothing. Sending information in plain text in email for decades with our current technology is wrong in most cases. There are times when we do need to share sensitive info via email and the other side might have any kind of system.
I intend to avoid the use of public key cryptography for the following reasons:
- it is very complicated to setup including the signing of each others' keys
- complicated to use it
- the user can loose his keys
- most of the time it needs and external software to be used and installed too
- a single password can be easily shared personally one time with my contact and he or she can keep it written on a paper wherever
The solution I came up with could be the following:
First of all, the browser and the operating system under it should be considered trusted.
There would be a static index.html page with embedded JavaScript. The page shows a textarea for the message and a textbox for the password. When hitting enter, the JS code generates a URL that itself will contain the encrypted message in base64 encoding. After digging I figured that 2000 bytes can be used for URLs just fine in every cases, so 1600 or 800 characters could be enough for short messages. This still needs planning.
So the encrypted message would travel with the URL. The website serving the index.html would of course use SSL with a valid certificate. While it seems an easy taks, of course it is not. The JS implementation should be carefully created to avoid easy attacks on it.
(URL shortener services could be used for it too).
Also, the question stands: How can I make sure that my contact can be certain about the origin of my message?
Well, the other side has to check if the domain is correct. Beside this, the implementation must avoid the rest of the attacks. If the URL gets changed during the travel of the email, then maximum the other side won't be able to decode the message with the password. That's what I believe. That it can be implemented this way.
About the file sharing. The solution should have a possibility to browse for a file, then encrypt it, then put it out for download to the user. This is just for him to be able to create the encrypted form of the file without the need for external tools. Then he could upload it to the cloud of his choice wherever (Google drive, Skydrive etc) and use that link in the URL of the JS solution to send it to his contact.
So if another link travels with the link, then the file from the remote host gets downloaded, decrypted and sent for download. All in his browser. If it's an encrypted message in base64 form, then it gets printed on the page after decryption (by the user providing his password of course).
Pros compared to other solutions:
- no need to implement a storage because no message nor file will be stored on the server, so the big players' services could be used
- therefore no need to reimplement the wheel regarding the storage question
- no need to trust a 3rd party because the server could easily be ours because it would be extremely easy to set up and serve it
- easy with even a free provider to host the static index.html
- because of its simplicity, the server can be hardened much better
- easy to encrypt with it in practice
- if one needs it, he could use the index.html by clicking on it from his desktop too, but that's not part of the original idea
My questions to you all are:
Do you find any flaw in my theory above? Could this really serve the average people by providing a usable tool for them that is more than nothing in times when they do need to send sensitive info to others?
Or does anything like that exist yet? Are there any better approaches? Different technology maybe?
Thank You.
I'm setting up a PayPal button to sell my e-book on my website, but one tiny problem. During the process, you have to provide a thank you page and specific download link for the PDF file.
Instead of changing it myself, is there a way to make it automatic and random every time a new customer buys? A script perhaps?
But then the thank you page would be the same, which wouldn't work... so I don't know.
Can anyone give me suggestions on how to approach this matter, please?
Thanks.
Usually the way this is done is when a purchase is completed successfully, a server script coins a unique download ID (usually some long sequence of randomly generated digits), associates it with the person who bought it, stores that info in a database and then puts it in a download link and sends it to the buyer - either in a returned web page or in an email.
The buyer can then click on that link which will take the buyer to your server. The server looks up the unique download ID that is in the URL, checks the database, decides if it's still a legitimate download ID and, if it is, it returns that actual download file to the browser with the right content-type so that the browser does the right thing with the returned data.
Your server can then decide how long it wants to keep that download ID as valid. It can be only for 1-3 uses (allowing for the fact that the legitimate person downloading may have had a glitch and had to redownload it), it can be for only a certain amount of time from purchase or from first download or any other algorithm that you thinks suits your business needs. You can age out old, expired records from the DB either with a chron job or in some regular housekeeping function you call.
Sorry, but I do not know enough about the back-end integration options in PayPal to know how to integrate this into PayPal, but this is the general workflow you probably want. If PayPal generates a unique transaction ID that is random enough for your needs, you might even be able to use that in your URL and database.