Discussion about slightly loosening viewing restrictions on thumbnails

onethumbonethumb Administrators Posts: 1,269 Major grins
edited October 2, 2008 in SmugMug Support
Hey everyone,

As you know, SmugMug works very hard on making your pages as fast as we possibly can while still providing very strong security and privacy controls. (Those two things are at odds with each other, by the way, in case that wasn't obvious.) In particular, both speed and security are pet projects of mine and I spend a lot of time on both.

We have a number of speed-related improvements in the works that I'm very excited to ship, but it's come to our attention that there's one change we could make that would make a dramatic improvement in page rendering times. So I have a proposal to make and I'm hoping we can get some healthy discussion going here and make sure we're on the right track...

First, the situation as it stands today:

- Thumbnails (Tiny/Thumb) by far make up the bulk of requests to SmugMug when browsing your photos.

- Thumbnails cause the page to draw slower than anything else on the page because browsers can only request 2 things at once. Since they're so busy waiting for thumbnails to load, they can't load other thumbnails, comments, larger photos, pre-cache more things in the background, etc etc. This is a web browser limitation that we have to work with (and Internet Explorer 8, whenever it ships, will help - they'll let us do up to 8 requests at once).

- SmugMug spends a considerable amount of time just checking whether we're allowed to serve a thumbnail or not every time one is requested. We have to do that before we can send any bytes. This can account for 50% or more of the time it takes for the thumbnail to get to your browser.

- Since we have to do this check each and every time, we can't cache copies of the thumbnails in locations close to you (say, New York City or London or close to wherever you live). They all come out of California.

- Thumbnail URLs are now essentially impossible to guess, thanks to our "new" slightly uglified URLs. Guessing a *single* thumbnail URL is now a 1:601,692,057 operation thanks to our ImageKeys. Guessing an entire gallery's worth of thumbnails is considerably harder. And, of course, while someone is guessing, we're busy watching them guess (and fail) and taking corrective action.

- Thumbnails are only 100x100 (Tiny) or 150x150 (Thumb) pixels in size. Even compromising photos of Gus aren't useful if stolen. Can't really make out any details, let alone make prints.

Are you with me so far? So that's the state of SmugMug today. Serving thumbnails fast is a major performance bottleneck that we'd like to solve. Here's what I'm proposing we do:

- We make any full thumbnail URLs (with the ImageKey) publicly viewable even if it's in a passworded account or site, or has external links off.

- All grandfathered URLs would still have the same protections they've always had.

- To get the URL in the first place, you still have to know the gallery or site password, so the thumbnails are still well-protected - just slightly less than they used to be. Without having permission to get the photos, you can't get the URL anyway.

- All sizes from Small on up still have the same protections they've always had.

What this lets us do:

- We can push our thumbnails out to servers that live an awful lot closer to you and your customers than California. Think a server in your neighborhood rather than in another state or country.

- We don't have to do any password and external link security checks (we still do an ImageKey check), meaning we can serve the thumbnails literally the instant the request comes in, rather than some variable number of milliseconds later.

- I estimate we'll be able to serve thumbnails 2-4X faster *in the US* than we currently do. Outside the US, the multiple gets even larger. Yes, even people living in LA or Seattle or San Diego would see a noticeable speed increase.

- If you're a Pro this likely will increase your sales. Amazon, for example, estimates they lose 1% of their sales for every 100ms (1/10th of a second) that their pages take to load.

So, given the details, what do you think? Everyone inside the company seems pretty excited about it, including all of our working Pros, but if we're missing any gotchas, I'd love to hear them and see if we can address them.

Just to re-iterate, your Smalls, Mediums, Larges, XLarges, X2Larges, X3Larges, and especially Originals, would still have the super-strong protections you've always enjoyed, and both thumbnail sizes would still be well-protected - just slightly less than before.

The only use case we can think of where this might be an issue is if someone with your password chooses to copy & paste thumbnail URLs to someone else who doesn't. Note that this person who already has your password is free to download the thumbnails already, since they have the password, and share them using SmugMug or any other website. They can do this today. So we don't view this as a serious security concern.

Thanks!
«1345

Comments

  • PBolchoverPBolchover Registered Users Posts: 909 Major grins
    edited June 19, 2008
    I'm in favour of these changes...
  • denisegoldbergdenisegoldberg Administrators Posts: 14,220 moderator
    edited June 19, 2008
    That sounds good to me... increasing speed is good, and you're right that the thumbs are so small that they really aren't useful to anyone. (Of course I still maintain that they are too small, but that's for another discussion...)

    I'm probably not in the class of people you want to hear from though, since I don't have any password protection enabled.

    --- Denise
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited June 19, 2008
    bump
  • Luc De JaegerLuc De Jaeger Registered Users Posts: 139 Major grins
    edited June 20, 2008
    Sounds very good to me too. While I have never experienced slow speed connections, visitors do need really fast (instant) page loads.
    And indeed, I can't imagine what people can do with just thumbnails.

    I'd go ahead with your idea!thumb.gif
    Luc
  • pilotdavepilotdave Registered Users Posts: 785 Major grins
    edited June 20, 2008
    Sounds like a great idea to me. I'm all for anything that'll help speed up page loads. And this really doesn't pose any security risk as far as I'm concerned. It doesn't increase the risk of a stranger coming across thumbnails they aren't supposed to see. Like you said, someone with access to those thumbnails would be able to provide links to them, but who cares because they could already download them and share them directly. Do it!

    Dave
  • JoeGJoeG Registered Users Posts: 81 Big grins
    edited June 20, 2008
    I registered just to post in this thread and say... yes... go for it.
    Joe Gearhart
    Photos | Blogs | Twitter | MySpace | Facebook
  • BenA2BenA2 Registered Users Posts: 364 Major grins
    edited June 20, 2008
    I like it.
  • mickimicki Registered Users Posts: 47 Big grins
    edited June 21, 2008
    ok, I signed up just so I give my reasons why I would like the ability to say no. I put all my "Hockey" pictures in Journal form so they are easy to be seen in a row and quick for the reasons you said above. By the time people have seen them then next ones are clear. Also they don't have to CLICK on them to see them larger.

    Here is the main issue. Someone from another team told me "hey Micki did you know they were SCREEN CAPTURING your pictures?" So even at the JOURNAL size they were TAKING my pictures and STEALING THEM and actually making pretty decent printed pictures and utilizing them. "NO WAY"!!!

    So my issue with taking the stinking ability of the right click off is well hmmm shaky. BUT... I say give us the ability to take it off. THEN we can say OK. I mean right now I can either click it ON or click it OFF.

    But at the thumbnail here is the thing. What do I lose? Here is the argument for me. I lose MYSPACE. I lose the ability of a picture on myspace. The kid that rightclicks that picture (easily) for myspace at a small size. That is it. Other than that it doesn't matter.

    Truthfully if you don't watermark your pictures for these types of things then you are a fool (like I was) ;)

    I'm ALL for going quicker but being smart about it. You guys here are the SMARTEST, BEST PLACE in the world for a business to grow! Couldn't do mine without you!
  • aquaticvideographeraquaticvideographer Registered Users Posts: 278 Major grins
    edited June 21, 2008
    A different opinion
    If I understand correctly, thumbs for a passworded gallery would be available to anyone who knew the right URL (with ImageKey).

    I understand that the ImageKey URLs are virtually impossible to guess, and I'm not too worried about that. However, I personally don't like the idea of any of my images being publicly viewable if in a passworded and/or hidden gallery. I don't want any images being served to anyone I haven't shared the password with.

    My $.02 FWIW...keep up the great work, gals & guys!thumb.gif
  • aquaticvideographeraquaticvideographer Registered Users Posts: 278 Major grins
    edited June 21, 2008
    Also, forgot to ask this dumb question: would this result in any changes to how images (esp. thumbnails) are indexed? Would thumbnails for hidden/passworded galleries end up getting indexed and made searchable by Google?
  • rich56krich56k Registered Users Posts: 547 Major grins
    edited June 21, 2008
    My .02
    If I understand correctly, thumbs for a passworded gallery would be available to anyone who knew the right URL (with ImageKey).

    I understand that the ImageKey URLs are virtually impossible to guess, and I'm not too worried about that. However, I personally don't like the idea of any of my images being publicly viewable if in a passworded and/or hidden gallery. I don't want any images being served to anyone I haven't shared the password with.

    My $.02 FWIW...keep up the great work, gals & guys!thumb.gif

    First off smugmug continues to be the best there is!!

    I agree - I use password and/or unlisted galleries to offer pics to publications and the deal is they must be original/exclusive...

    Maybe I don't understand the whole story here - if someone somehow got the url and 'pulled up ' a thumb from said gallery would they then be in the gallery that thumb was originally in??

    Someone else said give us the option (on/off) so it's our choice...

    That being said thanks for asking (limited dgrin) input...

    Big suggestion - Might be a good idea to ask all the pro accts on this matter via our smugmug message center - no way is this considered spam - and the ones potentially affected should have a say also - I just happened to stumble across this thread while posting about an unrelated issue - lets get a real sampling of viewpoints from those of us that continue to pay for the premium features... deal.gif

    There seems to be "upgrades" that are 'breaking' or disabling features that we are NOT being informed of until after the fact or we happen to discover accidentally!! eek7.gif

    (re: photobar drop down disabled by smugmug-resulting in an empty sliver drop down-YIKES :cry -very unprofessional looking - need a fix ASAP!!!)

    Sorry to go off topic with a slight rant - but it all kind of fits together in the big picture (no pun intended)rolleyes1.gif

    Thanks for being the premier photo site,

    rich56k
    http://HooliganUnderground.com
    Member: ASMP; EP; NPPA; CPS
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited June 21, 2008
    rich56k wrote:
    First off smugmug continues to be the best there is!!/QUOTE]
    Thanks Rich,

    re: your photobar issue, we'll look into that!

    FYI, you are running the old javascript slideshow and it's not supported anymore, hasn't been since Oct 07 - you'll want to update to the Shizam Flash Slideshow, see the sticky in the Customizing forum, okay?
  • populuspopulus Registered Users Posts: 73 Big grins
    edited June 21, 2008
    Speed is the most important thing, so I think the thumbnail proposal is a good idea. I don't agree with the comment about polling the pro smuggers - even though I am a Pro account holder, everyone should have equal opportunity to weigh in on this, so Dgrin is the right place for this discussion.
    My Smugmug Site: photos.kimmerer.com
  • brjphotobrjphoto Registered Users Posts: 168 Major grins
    edited June 21, 2008
    Seems to make sense to me. I'm in favor.
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited June 22, 2008
    Aren't you going to offer larger thumbs at some point? If so, I think everyone should consider this question with the largest thumb size in mind that would not require a password.

    My personal opinion is that I want all sizes of a password protected image to require the password before it can be accessed including thumbs. When I put a password on a gallery of kid's sports photos, I'm doing it because I'm making a promise to the parents that a password is required before the images can be accessed. If I didn't need a password and thought that a hard-to-guess URL was OK, I'd use unlisted galleries and sharegroups instead. But, that isn't what parents expect. They are comfortable with a password so that's what I use and as long as I use the password and it actually protects the photos, nobody complains about their kid's photos being on the internet (in fact, they enjoy having the photos).

    As for efficient caching in places that are close to us on the network, isn't there a way that you can make it so that non-password protected thumbs are cached and password protected thumbs are not?

    I also want performance, but I don't think it makes sense to compromise the basic security promise to make things faster. Imagine the article that could be written about Smugmug that says that passwords don't really protect everything. Yeah, they are hard to guess, but if that's all the security someone wanted, then use an unlisted gallery. A password protected gallery is supposed to be held to a higher standard.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • scwalterscwalter Registered Users Posts: 417 Major grins
    edited June 22, 2008
    jfriend wrote:
    Aren't you going to offer larger thumbs at some point? If so, I think everyone should consider this question with the largest thumb size in mind that would not require a password.

    My personal opinion is that I want all sizes of a password protected image to require the password before it can be accessed including thumbs. When I put a password on a gallery of kid's sports photos, I'm doing it because I'm making a promise to the parents that a password is required before the images can be accessed. If I didn't need a password and thought that a hard-to-guess URL was OK, I'd use unlisted galleries and sharegroups instead. But, that isn't what parents expect. They are comfortable with a password so that's what I use and as long as I use the password and it actually protects the photos, nobody complains about their kid's photos being on the internet (in fact, they enjoy having the photos).

    As for efficient caching in places that are close to us on the network, isn't there a way that you can make it so that non-password protected thumbs are cached and password protected thumbs are not?

    I also want performance, but I don't think it makes sense to compromise the basic security promise to make things faster. Imagine the article that could be written about Smugmug that says that passwords don't really protect everything. Yeah, they are hard to guess, but if that's all the security someone wanted, then use an unlisted gallery. A password protected gallery is supposed to be held to a higher standard.

    I agree with everything John said.
    Scott Walter Photography
    scwalter.smugmug.com
  • Steve Knight PhotoSteve Knight Photo Registered Users Posts: 52 Big grins
    edited June 22, 2008
    Hello All,

    I am glad that I checked in to Dgrin today and I am able to weigh in on this topic. I support SmugMug making changes to increase the speed of the page loads, especially because I live in rural Vermont where a fair share of my customers still have dialup!! However, I also want all of the images in a password protected gallery to be just that. I know that the odds are slim of someone finding a given thumb, but I just don't like the idea of someone lucking out and finding an open door. If you use StatCounter check out how some people find your galleries from the referring url. You might be surprised.

    Steve
    www.steveknightphoto.com
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited June 23, 2008
    micki wrote:
    ok, I signed up just so I give my reasons why I would like the ability to say no. I put all my "Hockey" pictures in Journal form so they are easy to be seen in a row and quick for the reasons you said above. By the time people have seen them then next ones are clear. Also they don't have to CLICK on them to see them larger.

    Here is the main issue. Someone from another team told me "hey Micki did you know they were SCREEN CAPTURING your pictures?" So even at the JOURNAL size they were TAKING my pictures and STEALING THEM and actually making pretty decent printed pictures and utilizing them. "NO WAY"!!!

    So my issue with taking the stinking ability of the right click off is well hmmm shaky. BUT... I say give us the ability to take it off. THEN we can say OK. I mean right now I can either click it ON or click it OFF.

    But at the thumbnail here is the thing. What do I lose? Here is the argument for me. I lose MYSPACE. I lose the ability of a picture on myspace. The kid that rightclicks that picture (easily) for myspace at a small size. That is it. Other than that it doesn't matter.

    Truthfully if you don't watermark your pictures for these types of things then you are a fool (like I was) ;)

    I'm ALL for going quicker but being smart about it. You guys here are the SMARTEST, BEST PLACE in the world for a business to grow! Couldn't do mine without you!

    So we're only talking about Thumbs and Tinys here, so the Journal sizes don't apply. They'd still require a password for each view.

    And anyone who has been to the gallery can save your thumbnails (or larger) and put them on MySpace just fine.

    Which is why, as you've pointed out, watermarking is your best bet.

    But I don't see how this is an argument against my proposal.
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited June 23, 2008
    If I understand correctly, thumbs for a passworded gallery would be available to anyone who knew the right URL (with ImageKey).

    I understand that the ImageKey URLs are virtually impossible to guess, and I'm not too worried about that. However, I personally don't like the idea of any of my images being publicly viewable if in a passworded and/or hidden gallery. I don't want any images being served to anyone I haven't shared the password with.

    My $.02 FWIW...keep up the great work, gals & guys!thumb.gif

    Bear in mind this is trivially easy today, even with our password precautions. Anyone who has your password and re-distribute your photos however they'd like - they just save the photos (which they can since they have the password) and share them on ImageShack or Photobucket or where ever.

    Watermarks are the only fool-proof security.
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited June 23, 2008
    Also, forgot to ask this dumb question: would this result in any changes to how images (esp. thumbnails) are indexed? Would thumbnails for hidden/passworded galleries end up getting indexed and made searchable by Google?

    No, because Google doesn't have the password to those galleries, and thus can't get the Thumb/Tiny URLs.
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited June 23, 2008
    rich56k wrote:
    First off smugmug continues to be the best there is!!

    I agree - I use password and/or unlisted galleries to offer pics to publications and the deal is they must be original/exclusive...

    Maybe I don't understand the whole story here - if someone somehow got the url and 'pulled up ' a thumb from said gallery would they then be in the gallery that thumb was originally in??

    Nope, if they got the URL for a passworded Thumb, they'd only have that single Thumbnail. Not the gallery, not the other Thumbnails in that gallery, just that one Thumbnail.
    rich56k wrote:
    Someone else said give us the option (on/off) so it's our choice...

    Can't do that due to technical limitations on the net. Either *all* thumbnails get fast or *all* stay slow. More in a reply to jfriend in a minute...
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited June 23, 2008
    jfriend wrote:
    Aren't you going to offer larger thumbs at some point? If so, I think everyone should consider this question with the largest thumb size in mind that would not require a password.

    It's never been discussed, but if 200 or 300 dpi monitors came along, I'm sure we'd do something. We'd cross that bridge when we came to it, but I think we're a long ways away from that. Most people viewing SmugMug aren't even seeing the Thumb sizes because their monitors are too low-rez.
    jfriend wrote:
    My personal opinion is that I want all sizes of a password protected image to require the password before it can be accessed including thumbs. When I put a password on a gallery of kid's sports photos, I'm doing it because I'm making a promise to the parents that a password is required before the images can be accessed. If I didn't need a password and thought that a hard-to-guess URL was OK, I'd use unlisted galleries and sharegroups instead. But, that isn't what parents expect. They are comfortable with a password so that's what I use and as long as I use the password and it actually protects the photos, nobody complains about their kid's photos being on the internet (in fact, they enjoy having the photos).

    You know this already, but I'll re-iterate: Your promise isn't something you can actually keep. Any of those parents (or the family & friends they share the password with) can easily make those photos available for anyone else. You don't have any control over that, and can't - it's just a fact of Internet life.

    jfriend wrote:
    As for efficient caching in places that are close to us on the network, isn't there a way that you can make it so that non-password protected thumbs are cached and password protected thumbs are not?

    Alas, this isn't the way it works. It's an all-or-nothing deal, and here's why:

    - Your gallery is Public, so we shove your thumbnails out to edge servers and they get served from thousands of servers all over the globe. Everyone marvels at how fast your page is.

    - You change your mind for some reason and turn a gallery password on. In theory, we'd now check for your password, but...

    - Your thumbnails already live all over the world on servers that aren't checking, and can't check, your password because you said they were Public....

    Now, those servers will eventually discard those thumbnails if they're not viewed, at which point your Password comes back into effect... but until then, they're not Passworded even though you changed your gallery settings.

    And in case you were going to ask, we can't just make all those servers "phone home" to see if the photo is ok because then we're back to square one: the speed of light is inflexible. It'll take just as long for us to "phone home" as it would to serve them out of Silicon Valley anyway.

    Clear as mud? Bottom line: Either *all* thumbnails get super-fast, or *all* thumbnails stay slow. And I'm afraid since you're in the Bay Area, you don't feel the pain of our East Coast and International customers - but we hear from them every day.
    jfriend wrote:
    I also want performance, but I don't think it makes sense to compromise the basic security promise to make things faster. Imagine the article that could be written about Smugmug that says that passwords don't really protect everything. Yeah, they are hard to guess, but if that's all the security someone wanted, then use an unlisted gallery. A password protected gallery is supposed to be held to a higher standard.

    That's not really fair, and any well-researched article wouldn't come to that conclusion. Passwords would still protect almost everything - just not 100px and 150px versions of those photos.

    That doesn't seem like a fair tradeoff for pages that don't load forever if you're not in Silicon Valley?
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited June 23, 2008
    Hello All,

    I am glad that I checked in to Dgrin today and I am able to weigh in on this topic. I support SmugMug making changes to increase the speed of the page loads, especially because I live in rural Vermont where a fair share of my customers still have dialup!! However, I also want all of the images in a password protected gallery to be just that. I know that the odds are slim of someone finding a given thumb, but I just don't like the idea of someone lucking out and finding an open door. If you use StatCounter check out how some people find your galleries from the referring url. You might be surprised.

    Steve
    www.steveknightphoto.com

    Just to be clear, people can't "just find" these galleries. They also have to have the password - so search engines and other referring URLs don't apply here.

    In my humble opinion, your photos (including the thumbnails) would be very secure.
  • gblottergblotter Registered Users Posts: 176 Major grins
    edited June 23, 2008
    Would thumbnails for hidden/passworded galleries end up getting indexed and made searchable by Google?
    onethumb wrote:
    No, because Google doesn't have the password to those galleries, and thus can't get the Thumb/Tiny URLs.
    That answers half the question. I can see why thumbnails from a passworded gallery won't be indexed by Google, but what about thumbnails from an unlisted (and unpassworded) gallery? Will Google now see those thumbnails under the proposed scenario?

    Another way to ask the question: Will SmugIslands (specifically Hello World) continue to function as advertised with your implementation of looser thumbnails?

    And a suggestion ... if you decide to loosen viewing restrictions on thumbnails, it might be nice to give us the option to force all thumbnails to the tiny size (100x100) for an extra measure of comfort.
  • PBolchoverPBolchover Registered Users Posts: 909 Major grins
    edited June 23, 2008
    gblotter wrote:
    what about thumbnails from an unlisted (and unpassworded) gallery? Will Google now see those thumbnails under the proposed scenario?

    As I understand it nothing will change here. If the link to the unlisted gallery is on the web somewhere (or elsewhere in your site), then the Google crawler can find the gallery, and google might index your photos. If SmugIslands tells google not to index your photos, then they won't be indexed (providing that Google obeys the "no index" command).

    The SmugIslands setting is applied to the html page of the gallery. If google doesn't crawl the html page, it won't get the URL for the images.
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited June 23, 2008
    onethumb wrote:
    It's never been discussed, but if 200 or 300 dpi monitors came along, I'm sure we'd do something. We'd cross that bridge when we came to it, but I think we're a long ways away from that. Most people viewing SmugMug aren't even seeing the Thumb sizes because their monitors are too low-rez.

    You know this already, but I'll re-iterate: Your promise isn't something you can actually keep. Any of those parents (or the family & friends they share the password with) can easily make those photos available for anyone else. You don't have any control over that, and can't - it's just a fact of Internet life.

    Alas, this isn't the way it works. It's an all-or-nothing deal, and here's why:

    - Your gallery is Public, so we shove your thumbnails out to edge servers and they get served from thousands of servers all over the globe. Everyone marvels at how fast your page is.

    - You change your mind for some reason and turn a gallery password on. In theory, we'd now check for your password, but...

    - Your thumbnails already live all over the world on servers that aren't checking, and can't check, your password because you said they were Public....

    Now, those servers will eventually discard those thumbnails if they're not viewed, at which point your Password comes back into effect... but until then, they're not Passworded even though you changed your gallery settings.

    And in case you were going to ask, we can't just make all those servers "phone home" to see if the photo is ok because then we're back to square one: the speed of light is inflexible. It'll take just as long for us to "phone home" as it would to serve them out of Silicon Valley anyway.

    Clear as mud? Bottom line: Either *all* thumbnails get super-fast, or *all* thumbnails stay slow. And I'm afraid since you're in the Bay Area, you don't feel the pain of our East Coast and International customers - but we hear from them every day.

    That's not really fair, and any well-researched article wouldn't come to that conclusion. Passwords would still protect almost everything - just not 100px and 150px versions of those photos.

    That doesn't seem like a fair tradeoff for pages that don't load forever if you're not in Silicon Valley?

    Thanks for the response.

    Hmmm. I thought I had read that larger thumbs were going to be in the offering for home page and category pages at some point. On large screens with less than 10 galleries in a category, today's thumbs look really, really small. I'm surprised this isn't something that anyone is considering. I thought this would be part of the stretchy home page and category pages that senses your browser window sizes and took more appropriate use of screen real estate than today's hard-wired layout. That's why I mentioned larger thumbs.

    What I have to offer my viewers is security that matches what they think they need. Right now, they are happy with the situation where a password is required before anyone can access the images. I'm sure some of my viewers know that the password could be shared in a public way beyond the intended audience or that someone could download and post the photos to a non-password protected site, but they are OK with the way it is today. I am meeting their requirement.

    Further, when your kids get a little older and you take and post pictures of school events, you will probably find the same thing I do - that many schools have policies about not sharing photos of school kids that aren't password protected. Those policies don't say anything about how large the photo has to be before it has to be password protected or whether it's OK if the URL is hard to guess. It just says that if it's password protected, then everyone is cool with it. In general the administrator policing the policy is non-technical so explanations about why you don't meet the rules are difficult at best. If I meet that bar, even when someone knows about all the warts in the implementation, then I'm fine. I don't meet that bar, I don't have an opportunity to change the rules. I just have to play by the rules or I can't post the photos without getting individual permission from each parent (an impracticality).

    What you are offering us here is a tradeoff between security and performance. I want the increase in performance, but I'm not particularly happy with compromising security and I think there are cases where this could cause problems for Smugmug as a business too.

    When faced with a compromise that doesn't seem ideal, what I've been doing since I was a customer, a user, a software developer, a software manager, a software VP and a software CTO was to challenge the engineers to come up with a better option that is less of a compromise (or perhaps no compromise). By making folks think about other options and asking pointed questions, we sometimes come up with a better option. While I am just a Smugmug customer in this instance, you asked for feedback on your proposal, so it's in that spirit that I will challenge it a bit and ask for something better.

    When you let images get cached at the edges, don't those images have a cache expiration time? If only non-password protected images were allowed to be cached and the cache expiration time could be set to something like 24 hours couldn't we have a better solution.
    • If a customer had a non-password protected gallery, all thumbs could be cached at the edges of the network. Better performance than today.
    • If a customer had a password protected gallery, maximum security would be provided and access to the thumbs would still require a password like they do today. Same performance and security as today.
    • If a customer had a password protected gallery that they removed the password from, caching could begin immediately because you'd start allowing them to be cached immediately.
    • If a customer had a non-password protected gallery that was already cached and the customer added a password to the gallery, the front door to the gallery would immediately respect the password (like it does today) and the only compromise in this scenario from today is that the thumbs cached at the edge would have to "time-out" from the cache (e.g. 24 hrs) before they required a password to be accessed.
    This seems to me a lot better that what you are proposing. The password on the gallery page would take effect immediately so the front door would immediately be blocked by the password. The password on the back door (guessing URLs or URLs posted without your permission) would be enforced as soon as the cache expired. Once the cache expires, they get full protection just like today. If the caching works differently than this, please explain so I can understand where the issue is.

    On the security front, there are at least three kinds of security needs:
    1. Security features a customer actually needs and uses.
    2. Security features that a customer thinks they need, but may not actually use. Since perception is reality with security, this can be as important as the first category, even in cases the customer will never actually use the feature.
    3. Security features or vulnerabilities that sound bad when written about in a public article, even when they aren't necessarily something that practically causes a problem for people.
    Password protected galleries are clearly in the first bucket. Many people use them and know they need them. Enforcing password protection for accessing all sizes of the images are definitely in the third bucket (could sound bad when written about if you don't do it) and will be in the second bucket also for some people.

    Does a customer actually "need" thumbs to be protected by a password? That is probably debatable, but if they think they would need it or an unfavorable article about Smugmug security can be written about it, then it's going to cause trouble if you dont offer it. Most of the time, perception is reality in security. It's the one area of software where you really have to aim for what customer thinks they need rather than what they really need and it's the one area of software where you have to think hard about what can be written about your product or service if all the cards are known.

    If you implement what you are proposing, a completely factual article could be written with a headline "Smugmug not enforcing full password protection on password protected galleries". The salient points in the article could be:
    • Thumbnail images do not require that a password be entered before they display.
    • While the URLs are not easy to guess, thumbnail images are following the logic of unlisted galleries (hard to guess), not password protected galleries (requires password be entered before display).
    • This was done on purpose to enhance performance and allow better edge network caching, so it's an intended design, not a bug.
    • If you need (or think you need) "full password" protection that works even against URL guessing, you should not use Smugmug.
    Yes, you could write a rebuttal that explains why most users are fine with this because the URL guessing is hard, but by then the damage has already been done. Do you really want to go there or take the risk of ending up there?

    I hope this doesn't turn into an argument. You asked what we thought so I'm trying to explain what I think and hopefully offering some helpful reasoning.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • georgesgeorges Registered Users Posts: 138 Major grins
    edited June 23, 2008
    jfriend wrote:
    ...Further, when your kids get a little older and you take and post pictures of school events, you will probably find the same thing I do - that many schools have policies about not sharing photos of school kids that aren't password protected. Those policies don't say anything about how large the photo has to be before it has to be password protected or whether it's OK if the URL is hard to guess. It just says that if it's password protected, then everyone is cool with it. ...

    I'm not sure I see the issue here. Both the current and proposed methods start out requiring the password.

    In the current method a person would use the password to access the photos, copy them, then make them available to others.

    In the proposed methond a person would use the password to access the photos, copy the links or the photos, then make either available to others.

    Either way, a person needs the password for initial access.

    I don't see any difference.

    I do have a question, but I'll ask that in another message.
    See you later, gs

    http://georgesphotos.net
  • georgesgeorges Registered Users Posts: 138 Major grins
    edited June 23, 2008
    Changing the password...
    OK, so let's say I determine that a bad guy has guessed my password.

    When I change the password, do the urls of thumbnails get regenerated?

    If not, how would I force a regeneration of the urls?
    See you later, gs

    http://georgesphotos.net
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited June 23, 2008
    georges wrote:
    I'm not sure I see the issue here. Both the current and proposed methods start out requiring the password.

    In the current method a person would use the password to access the photos, copy them, then make them available to others.

    In the proposed methond a person would use the password to access the photos, copy the links or the photos, then make either available to others.

    Either way, a person needs the password for initial access.

    I don't see any difference.

    I do have a question, but I'll ask that in another message.

    The issue is that Smugmug is proposing that a password would not be required if someone knew or guessed the URL of a thumb. Today, if you enter the URL into your browser of a thumb in a password protected gallery (that you haven't already entered the password for), nothing displays. With the change they are proposing, that URL would display the gallery without entering the password. That would make thumb URLs subject to URL guessing and they'd have the same security as an unlisted gallery rather than a password protected gallery. There clearly is a difference. Whether that matters or not depends upon your perception, your understanding of the situation and your particular requirements.

    Essentially, the front door would still be password protected. The back door (direct entering of the URL which is somewhat hard to guess) is password protected today, but would not be in the new proposal. The back door isn't that easy to find and only shows thumbs, but it is there and it isn't locked.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • AndyAndy Registered Users Posts: 50,016 Major grins
    edited June 23, 2008
    georges wrote:
    OK, so let's say I determine that a bad guy has guessed my password.

    When I change the password, do the urls of thumbnails get regenerated?

    If not, how would I force a regeneration of the urls?
    No, but if you made 2nd copy of the images, they'd get new imageIDs (urls).
Sign In or Register to comment.