Here we shall discuss the means of
protecting information on web pages. Web data, whether it be
accounting records or privileged information, can be stored in
databases and delivered dynamically or it can stored in static
files. Either way, it needs to be displayed in a custom viewer or
web browser via web pages from a web site.
The simplest form of protection for web data is password
protection where privileged users can use a username/password combination for
access to pages that display the information that they seek.
Commonly used examples of password protected web sites are those
that use a Content Management System (CMS) like Drupal, Joomla,
Moodle or WordPress. Each of those CMS can use additional add-ons
that can be installed to enhance member controls and different
levels of access to restricted parts of the web site. The CMS
mentioned here are the most popular ones because they are free and
easy for almost anyone to install. Larger entities often use custom
developed CMS for enhanced security (more on that later).
These CMS use a database to store all information displayed on the
web site. When an item is requested the information is drawn from
the database and displayed dynamically, filling the appropriately
suited template. Access to the database and its records are
protected by password only known to the code behind the web pages.
Thus the information and data stored in the database can be limited
to view by logged in users only.
Password protection can restrict access to the page displaying the information,
but the information (data) sent from the server to the user's computer can be
intercepted by using packet-sniffing software if they are on the same network.
That means that anyone on the network as the server can trace data sent from the
server and anyone on the user's network can intercept data being received. That
is, unless the data is encrypted. However the data sent between a CMS and the
user's browser is not usually encrypted. Using SSL on the website and requiring
that all page requests use HTTPS provides a means of encrypting web data that
can prevent usernames and password from being intercepted. However SSL has been
circumvented in the past and today all web browsers raise an alarms if
Transport Layer Security (TLS). TLS is the successor to SSL and uses stronger encryption, ie: a combination of
symmetric and asymmetric cryptography using the user's session ID for decryption
key.
While that may sound like a secure solution, that is not all that can be done.
Modern web browsers cache everything that they download and that means that they
save everything to a temporary folder before displaying it. Data can be
retrieved from browser cache.
To properly secure web data encryption is needed between
the web server and the user's web browser so that should packets be intercepted,
that they cannot be deciphered. To create a secure tunnel between server and web
browser, software needs to be installed on the server to encrypt the http
requests before being sent to the browser. There are many solutions that a
secure tunnel but that data can be viewed in normal web browsers then it can be
exploited. Unless of course a browser plugin is used to decrypt proprietarily
encrypted data for display in the browser. But again, popular web browsers are
not designed to protect web content in any way, so whatever is downloaded can be
retrieved from cache or memory.
So the best alternative is to use a secure tunnel that uses proprietary
encryption (not open source) and ensure that the data is secure on both ends, on
the web server and in the web browser, and the best way to do that is to use a
proprietary web browser, one properly designed to cater for data protection and
not provide easy methods for copy, print, and save of the web content.
The only server and browser solution that fits that will effectively protect
data from all avenues and also provide copy protection of the web content while
on display is the
ArtistScope Site Protection System (ASPS) which uses the
ArtisBrowser.
Author: William Kent
Date: 29th June 2019
Return to DRM and Copy Protection
No comments