Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 06-13-2004 06:43:21

keridigion
Member
Registered: 06-12-2004
Posts: 3

How Secure Is The Download Method?

Hi, I wonder if someone can clarify exactly how secure the download method is.

As I understand it, a customer receives the confirmation email, detailing the user name and pass for the media/downloads directory, along with a URL which begins the download of their uniquely named file when they submit the correct username and pass. ie- They (1) enter their URL (2) are prompted for the username and pass, and then (3) the download begins automatically, is this correct?

If so, how does this stop anyone from simply truncating their download URL, entering the URL to the media directory and then entering the username and pass and simply browsing for any goods that are available? Is it set so that it cannot be viewed, only accessed directly for download?

If so, what's to stop people from passing their information along? ie - "Hey, I just purchased 'XXXX Software', and the download URL is good for three days. The username and pass is 'xxxxx' and 'xxxx.' Get it while you can!" Is there a way of tracking and logging IPs? Perhaps a way of shutting off the download link automatically and immediately if their are a suspicious number of downloads? Does it report when a download is completed (heh, is this even possible? wink )

How secure is this method? I look forward to your reply, as this is the one sticking factor that's stopping my purchase of CCP.

Thanks for your time. smile

Offline

 

#2 06-15-2004 12:01:34

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: How Secure Is The Download Method?



If so, how does this stop anyone from simply truncating their download URL, entering the URL to the media directory and then entering the username and pass and simply browsing for any goods that are available? Is it set so that it cannot be viewed, only accessed directly for download?

Yes, it's set so it can't be viewed.  There are two files in there: index.htm and default.htm and with those present and showing blank pages, the webserver will not produce a directory listing.



If so, what's to stop people from passing their information along? ie - "Hey, I just purchased 'XXXX Software', and the download URL is good for three days. The username and pass is 'xxxxx' and 'xxxx.' Get it while you can!" Is there a way of tracking and logging IPs? Perhaps a way of shutting off the download link automatically and immediately if their are a suspicious number of downloads? Does it report when a download is completed (heh, is this even possible? wink )

This isn't really possible under the current system.  The precautionary measure taken in CCP is to allow you to expire the download link according to your needs.  Check Global Settings | Manage Program Settings for available time periods.



How secure is this method? I look forward to your reply, as this is the one sticking factor that's stopping my purchase of CCP.

It's fairly secure.  As secure as just about any other download method out there that works on a variety of webservers (Unix, Linux, Windows, etc.).


Nick Hendler

Offline

 

#3 06-20-2004 04:56:47

TheThinker
Member
From: Salt Lake City, Utah
Registered: 06-16-2004
Posts: 535
Website

Re: How Secure Is The Download Method?

keridigion.

I had the same concern as you.  Plus, I was also concerned about providing a "legally defensible" method of proving that a given end-user had indeed received a specific digital product through a download.  So I wrote a little program, in C/C++, which is really a scripted FTP client, that performs the download, then validates the download (using a separate manifest file with an advanced checksum), then deletes the digital asset, and then uploads a log file showing the above steps in detail.  I figure the fact that the download is uniquely named, and is erased by the end-user upon successful download, is pretty secure.  Plus I get the added benefit of:  1) have my install/FTP client do all of the end-user error prone steps (of downloading a file); and 2) I can prove to a credit card company that the end-user did indeed get the file.

I integrated this download program with CCP 5.1 so that I have no manual processing.  It even e-mails the appropriate information to the end-user.  For digital assets that are end-user specific, it even creates the download file and the manifest file on the fly via a system process.


Regards,
Eric

Offline

 

#4 06-21-2004 13:01:22

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: How Secure Is The Download Method?

Hello TheThinker.  I'd like to see this in action.  Do you have a demo, or could you send me info to support@kryptronic.com?  Thanks.


Nick Hendler

Offline

 

Board footer