May 22, 2010
Make Image Assets Secure
When you want your customers to have access to certain images or other assets only when they are online and logged-in you would be hard-pressed to ensure this is the case unless…
You know how to make your Images and other assets secure from offline use.
SecureImage(tm) make images (.JPG, .PNG and .GIF) files unable to be viewed unless they are being viewed from a particular domain.
SecureImage(tm) is ideal for any use-case where people are not supposed to be able to see certain assets such as images, videos or documents when they are not logged-in.
SecureImage(tm) is ideal for the use-case where the user community must be logged-in and authenticated in order to use certain assets.
Consider the Online Training Use-Case
When Online Training is being offered for users who are authenticated the organization offering the training might want to ensure offline use of their materials will not be allowed and as we all know FireFox is an ideal browser for those who want to see offline content because this one browser more than the others makes offline use of materials very easy.
When the Online Training materials are being viewed offline they should be unavailable and invisible to the casual user.
How does SecureImage(tm) work ?
Let’s just say the primary function of SecureImage(tm) is to disallow access unless the items being protected by SecureImage(tm) are being viewed from a single known domain.
SecureImage(tm) ensures the protected assets are being served from the single known domain and that this single known domain is serving the content under the control of a single known authority.
Simply spoofing the single known domain would not be good enough however it is not difficult to hide the URI for those assets being protected by SecureImage(tm) by serving those assets via Flash/Flex where the URI is never exposed to the user.
SecureImage(tm) also employs the use of a “key” that is requested by each asset whenever the single known domain is present; the value of the “key” is encrypted and signed with a temporal signature ensuring it cannot be reused outside the scope of a sliding window of time.
Those who wish to spoof the SecureImage(tm) system would have to know the single known domain for each asset along with the value of the “key” and the method that was used to sign this key.
Additionally SecureImage(tm) employs the use of SWF Obfuscation to further make it very difficult if not impossible for those who wish to reverse engineer the assets being protected by SecureImage(tm) from being able to do so.
Ease of Use
SecureImage(tm) can be deployed by anyone who can operate the Flex Compiler as each asset is wrapped by a SWF by embedding the asset into a SWF.
The trade-off is bandwidth as one is trading a larger asset for security. Those who have assets they wish to protect from offline use would probably not mind the bandwidth cost.