Re: preventing downloading

• To: matt jackson <mattj@indiana.edu>
• Subject: Re: preventing downloading
• From: "Brian W. Spolarich" <briansp@ans.net>
• Date: Fri, 15 Mar 1996 11:11:43 -0500 (EST)
• cc: www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.HPP.3.91.960314155856.11577C-100000@juliet.ucs.indiana.edu>

On Thu, 14 Mar 1996, matt jackson wrote:

> Is it possible to create a Web site where users can view documents but 
> they cannot download or print anything without authorization?
> 
> I know one can use encryption and or passwords to prevent all access, but 
> is it technically feasible to allow access without allowing the user to 
> keep a copy of the document.

  Nope.  For HTML and similar types of content, downloading == viewing == 
printing == saving == browsing.  Its all the same thing.  Essentially the 
user issues a "GET" request to the server for a particular document, and 
the browser displays it to the user when it has been received.  What the 
user decides to do with the document at that point is their own business.

> To reveal my ignorance even further, it seems to me that if one created a 
> new generation of Web browsers that would look for a special code before 
> allowing a "save" or "print" option, this would work.  My more 
> knowledgeable friends say that once the document is in the user's RAM (as 
> required in order to view it in the first place), nothing can stop them 
> from saving or printing it.  Are they right?

  They are correct.

  But, you don't have to put up HTML documents on your web site (although 
that's going to be what most users are going to expect).  Adobe PDF files 
(Portable Document Format) support the ability to determine what a user 
can do with a particular document.  Regions of text, images, and the 
entire document can be locked to prevent printing or selecting.  PDF 
files must be viewed with PDF viewer, and are created with Adobe Acrobat 
Exchange.  You can create PDF files from any application, including 
desktop publishing programs, graphics packages, etc.

  Clients need to be configured to automatically launch the PDF viewer 
when sent a document with the application/pdf MIME type, and servers need 
to know that documents ending in ".pdf" should be sent with the MIME type 
"application/pdf".  Other that that, its pretty easy to implement.

  One way to do this would be to have two copies of each document 
around...one that was "locked" to preventing printing, etc. the other 
that was not.  The user could view the appropriate document based on the 
output of a CGI program, or simply by maintaining two document trees, one 
of which was protected by the Web server's built-in authentication schema.

  I heard rumours of Netscape implementing support for PDF files inline 
in a future release of Netscape Navigator.  I suspect that the Java 
explosion has somewhat delayed that, or perhaps licensing negotiations 
got off track.  I dunno...it was something remember from over a year 
ago, but haven't heard about it since.  

  Hope this helps.

  -brian
--
Brian W. Spolarich - ANS CO+RE Systems - briansp@ans.net - (313)677-7311
	     See Brock acquire.  Acquire, Brock!  Acquire!

• Re: preventing downloading
• From: "G. Foulds" <gfoulds@asel.udel.edu>

• preventing downloading
• From: matt jackson <mattj@indiana.edu>

• Previous: Re: preventing downloading
• Next: Enterprise Security - Extended Deadline
• Index(es):
  • Index
  • Thread