Carl Camera

Protecting ViPR from Bandwidth Bandits

While creating ViPR, I became aware that there is a potential for abuse of this technology believe it or not! [Feigned look of horror.] Milan Negovan raised this issue in a blog post titled "Don't Let Your Site Get Framed" recently.

Really. There are folks out there that might want to generate text-on-the-fly and not use their own installation of Vine Type. Milan has a name for these folks that I won't repeat here. They might use, for instance, your installation or mine in this case since I haven't released a ViPR-enabled Vine Type yet. (0.99 coming soon folks, honest.)

People could craft pages, and display text images on their site that were generated by your site. Not naming names here, but I did visit a site recently where this practice was actually occuring. I'm not sure if the blog owner has an agreement with the other domain generating the text images or not. Perhaps I'll ask him at SxSW.

Anyway, Vine Type as it existed a week ago permitted crafting image source paths, (this is called URL spoofing) in such a manner that other sites could generate any text string image they chose. They were restricted by my ViPR font color and style, but they could place any message on their site that they chose.

This was because ViPR generated text from the URL in this manner:

<img src="...?img=default|Protecting Bandwidth" ... />

Anyone on any site could create that same img element, change "Protecting Bandwith" to "Welcome to MalWare Central" and their site would display a "Welcome to MalWare Central" image served from my site.

This design is too tantalizing not to deal with. While images can be pulled from anywhere, the fact that the text was customizable created, I believe, a tremendous incentive for abuse.

To reduce the incentive significantly, I removed customizability. Rather than putting the article title text in the src path, ViPR now places the article id and looks up the article title from the id.

Folks can now steal my article titles and display them on their sites, but they can't craft custom messages anymore.

<img src="...?img=default|50" ... />

Default, by the way, is the name of the template associated with the page being displayed. I'm hoping this design will mitigate any potential for bandwith abuse that using Vine Type with ViPR might present.


Great idea, but they would still be stealing your bandwidth even through they can't craft the image. Would it be possible via the config file to set a flag that says noExtenalRef and setting this to true would then check if the URLReferrer is the same as the URL.Host if they are then display image if not do not create and send image.


If no_Extenal_Ref=true Then
 If Request.URLReferrer.Host = Request.URL.Host Then
 End If
End If
Jon 13 Mar 2006

Hi Jon.

Yes, I did consider adding a Host/Referrer check but did not include it and here's why:

I'm guessing that if someone is concerned about this issue, he or she is concerned about all images on their site and not just article headlines.

The user would be better served (pardon the pun) by adjusting settings at the server level. However, I do appreciate you bringing this topic up and if there is addtional calls for this enhancement, I would definitely be open to including it.

Carl Camera 14 Mar 2006