Secure download location

kee nethery kee at kagi.com
Fri Mar 10 01:04:35 EST 2006 

On Mar 9, 2006, at 6:57 PM, Marty Knapp wrote:

> I'm wanting to set up a situation where people can download an  
> update of my program via a "download update" menu script, but keep  
> the URL from being known. I was tinkering with the revGoURL ftp  
> route, but my username and password show up in the browser history,  
> which is, of course, not good!
>
> I've been reading the docs about all the URL stuff. I took a look  
> at the Tutorials from So Smart Software and I'm getting more, not  
> less confused. It seems like there's a lot of options, though the  
> difference between them isn't clear to me yet. Basically I need to  
> protect myself from people just downloading the software who  
> haven't paid, but make it easy for those who have paid to download  
> the latest version. Because it's a low-dollar item I can't afford  
> to be manually processing stuff - I want my computer & web site to  
> take care of 99% (that's why they made computers - right!?).

There are two things to consider. FTP is pretty open. If you give  
someone the FTP URL, that IS the FTP URL. It is pretty difficult to  
hide that URL. So whatever you do, you have to assume that payees and  
non-payees will see the URL.

My suggestion is that you have a web page that is public that  
contains some static data. Your app would query that as it's download  
update. There would be the latest version number in plain text and  
some other data that is encrypted. Your app would decrypt the  
download data (if it is the paid version assuming there is a  
difference between paid and unpaid) and the decrypted data would have  
some obscure URL. It would go to the obscure URL to actually download  
the latest version. The unpaid version would not be able to decrypt  
the information and would thus not be able to see the obscure  
download URL. Maybe once a week, move the latest version to another  
location and alter the static file to match.

You could have the FTP server require a login with their reg code as  
either their user name or their password. I think you could add bad  
reg codes to the list on the FTP server and reject them, preventing  
them from downloading. I think you can do that in the .htaccess file  
on the FTP server.

Summary:

1. have there be a difference between paid and unpaid copies.
2. use that difference to decode a static web page that has the  
latest version URL encrypted on it.
3. use the FTP server permissions to prevent pirated reg codes from  
getting upgrades.

Kee Nethery

More information about the use-livecode mailing list