Secure download location
kee at kagi.com
Fri Mar 10 01:04:35 EST 2006
On Mar 9, 2006, at 6:57 PM, Marty Knapp wrote:
> I'm wanting to set up a situation where people can download an
> update of my program via a "download update" menu script, but keep
> the URL from being known. I was tinkering with the revGoURL ftp
> route, but my username and password show up in the browser history,
> which is, of course, not good!
> I've been reading the docs about all the URL stuff. I took a look
> at the Tutorials from So Smart Software and I'm getting more, not
> less confused. It seems like there's a lot of options, though the
> difference between them isn't clear to me yet. Basically I need to
> protect myself from people just downloading the software who
> haven't paid, but make it easy for those who have paid to download
> the latest version. Because it's a low-dollar item I can't afford
> to be manually processing stuff - I want my computer & web site to
> take care of 99% (that's why they made computers - right!?).
There are two things to consider. FTP is pretty open. If you give
someone the FTP URL, that IS the FTP URL. It is pretty difficult to
hide that URL. So whatever you do, you have to assume that payees and
non-payees will see the URL.
My suggestion is that you have a web page that is public that
contains some static data. Your app would query that as it's download
update. There would be the latest version number in plain text and
some other data that is encrypted. Your app would decrypt the
download data (if it is the paid version assuming there is a
difference between paid and unpaid) and the decrypted data would have
some obscure URL. It would go to the obscure URL to actually download
the latest version. The unpaid version would not be able to decrypt
the information and would thus not be able to see the obscure
download URL. Maybe once a week, move the latest version to another
location and alter the static file to match.
You could have the FTP server require a login with their reg code as
either their user name or their password. I think you could add bad
reg codes to the list on the FTP server and reject them, preventing
them from downloading. I think you can do that in the .htaccess file
on the FTP server.
1. have there be a difference between paid and unpaid copies.
2. use that difference to decode a static web page that has the
latest version URL encrypted on it.
3. use the FTP server permissions to prevent pirated reg codes from
More information about the Use-livecode