• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

[Discussion] Short Link

Status
Not open for further replies.
Gunz

Gunz

Chevereto Member
Guys i want open a discussion about that:
http://chevereto.com/community/threads/viewer-links-problem.2343/#post-14086

I think it's important discuss about that problem. The privacy for every host images is the most important thing, because if users know that their images can be accessed by all people they will never post private/sensitive images.

Now i can go on every site based on chevereto and see a lot of images writing
example.com/u
example.com/c
example.com/d
etc.

I think that it's better that the short link start from 5 alpha numeric string.

Tell me what do you think about it.
Cheers
 
This is a discussion which will go on and on. People complained before so Rodolfo introduced date storage, then people complained about that so he brought in short links and now people are complaining about that. There is no real solution.
 
There is a real solution, example.com/t it's a short link example2.com/5jf83 is always a short link but more secure.

Put that short link like now it's not good and all we know.
 
That is the normal behaviour. The code to generate the IDs uses a crypt salt to generate the ID and that algorithm cant set safe what you are asking for. It will only set "syyyyy" where "yyyyy" is the padding that can be easily noticed. Since Chevereto source is visible, this algorithm is also visible.

This method cant be changed and is the best method to use because is the one with the shorter url. You are complaining now, but the guess of the id is not consecutive, id b is not a+1 so that will prevent people from getting a bunch of images uploaded at once. So, if you have more than 28 images the id will have 2 chars and so on.

Last, the only way to protect this is by having private images which ask for password or something like that. This id method was never introduced with privacy as the top concern because you can't rely private images just in a weird id.
 
I don't care about that to be honestly.

But a good example is my site: http://anony.ws/ Search for anything: http://anony.ws/ab , evrything that has two and one word will come up as its alot of image hosted. but meh idc.


What about a IP Search function, to see all images uploaded by the IP, and delete all images uploaded by IP Adress. If there is any spam.
 
Security shouldn't rely on the URL. It should rely on a flag which ask for permission to view the content, at least that is my way of dealing with this issue.
 
Rodolfo said:
Security shouldn't rely on the URL.
Click to expand...


http://demo.chevereto.com/image/CYA
http://demo.chevereto.com/image/CYB
http://demo.chevereto.com/image/CYD
http://demo.chevereto.com/image/CYE

As you can see, anyone can see all of your private photos by changing only one character. I want to store private photos in my server but this option is really useless. They must be encrypted links, short and long ones. Is there any way to disable built-in shortlink function? As you can see this's safer: http://tinyurl.com/9yahx8s
 
naz_eg said:
http://demo.chevereto.com/image/CYA
http://demo.chevereto.com/image/CYB
http://demo.chevereto.com/image/CYD
http://demo.chevereto.com/image/CYE

As you can see, anyone can see all of your private photos by changing only one character. I want to store private photos in my server but this option is really useless. They must be encrypted links, short and long ones. Is there any way to disable built-in shortlink function? As you can see this's safer: http://tinyurl.com/9yahx8s
Click to expand...

Short url links are not made to ensure privacy, the implementation was designed to just short the url and the privacy layer is that each public id is encrypted meaning that image CYB is not next to CYA in the image table. As I have told before, security or privacy should never rely on just a complex URL and it should rely on granted permissions.

FYI the public ids generated by Chevereto are encrypted. And if you check this URLs:
http://tinyurl.com/9yab
http://tinyurl.com/9yad
http://tinyurl.com/9yae
http://tinyurl.com/9yaf
...

Did you notice that all those urls are actually working? I just took part of the example url you post and I change the last letter. This happens because the algorithm just converts alphanumeric to integer (the real id on the dB) using a reverse encryption with a hash. Is always more easier to guess valid alphas when you are in low IDs, thats why you and I have found valid content with ease.

Ok, is way more harder to guess a bitly or tinyurl alpha because million of people use this services but in a small private Chevereto setup is quite more easy, so you are basing your privacy in just be hidden in the crowd... Safe? not at all.

There is only one way to ensure a bit more your privacy and that is set a user password and enable the private mode. In that case enable login request in /image/<id> and /<id> could be easy coded by me and perhaps I should include this in a next release.

If you want even more privacy the only valid option is password protect each file with a different hashed password. That will come someday but not soon.
 
Thank you for your quick response. As i understood your script is not secure for me then because i'm selling digital codes in my store and every key link needs to have a special link and not guessable.

Like: http://www.mediafire.com/conv/a95d0cf9f32e132fe47fd661ef0be089f406ba113e890c2b1ba4ea4597d376386g.jpg

I don't need short links, i just need secure image hosting. If you can make a better protection on the links, i will buy your script. Or if you have another idea, please share with me.

Thank you.
 
naz_eg said:
Thank you for your quick response. As i understood your script is not secure for me then because i'm selling digital codes in my store and every key link needs to have a special link and not guessable.

Like: http://www.mediafire.com/conv/a95d0cf9f32e132fe47fd661ef0be089f406ba113e890c2b1ba4ea4597d376386g.jpg

I don't need short links, i just need secure image hosting. If you can make a better protection on the links, i will buy your script. Or if you have another idea, please share with me.

Thank you.
Click to expand...

You can disable the short link feature.

Or you could edit the images table increment value to something like 1 million so the short links will be longer.
 
You can do it with phpmyadmin, just edit the table chv_images and set the increment value to something very high, like 1 million. So when images are uploaded, instead of starting with the id "1" it will begin with the number you entered. This will make the encoded url longer.

just not very sure if this could affect the site's performance..
 
Is there any way to increase "image name" character amount too? I see default is 5 character.
 
You should use a digital delivery script then, this has nothing to do with the shorturl or image hosting. If you want to base your security and privacy in just long urls... good luck with it.

if you want to sell codes you should use email delivery because you will need to ensure the delivery to the final client, all the stores that sell codes work in this way and is just not because is more convenient, is because is more safe and you ensure just one recipient and no one can ever guess a code link.
 
Rodolfo said:
You should use a digital delivery script then, this has nothing to do with the shorturl or image hosting. If you want to base your security and privacy in just long urls... good luck with it.

if you want to sell codes you should use email delivery because you will need to ensure the delivery to the final client, all the stores that sell codes work in this way and is just not because is more convenient, is because is more safe and you ensure just one recipient and no one can ever guess a code link.
Click to expand...

I'm already using a digital delivery script and it's automated. But it doesn't store any file, it just sends text. So i need a secure image hosting script. I came here to buy this but tell me if i can make these please:

1. Disable short link service.
2. At least 10-15 characters encrypted direct link, 5 is unsafe.

I really liked your script, please help me.

Thank you.
 
1. Short link service can't be disabled. You can trick the dB to have long IDs instead.
2. It can be done by harcode the source.
 
Status
Not open for further replies.
Back
Top