Skip to main content

How do you protect your web server resources? Use signed URLs


Illustration:
Say, you have public URL to access abc.mp4. http://mydomain.com/abc.mp4. And it is made available under pay per download subscription. This is a public URL and anybody can access, but there is a business model around it, which is ‘Pay per download’. This is a revenue leakage if everyone is able to download the asset. How should you make it available for download, but only for one download? You want this URL to be invalid after one usage.
Answer: Use signed URLs.

Signed URLs are usually short lived URLs. Servers are designed to deny access after the expiry of such URLs. It is also possible to specify additional information along with Signed URL, usually will be additional information is determined by the server in focus.

How does it work?
Continuing from the illustration, I define a policy. Policy is nothing but information that your client application will be able to communicate with server application so that server can decide the nature of access to the asset. This can be as simple as a JSON formatted text.

For the illustration, call Client app as C and server app as S. C creates a policy with information, say, ‘Allow_access_to_abc.mp4_18_00_hrs_only_once’. C will hash (creates digest) with SHA-1 algorithm which results in unique digest, say, 123kffsfsfg#$.  C signs the hash generated with the private key and say, the signature generated is ‘uuffaffgfgf’.

Note: Hashing on any given string, results in unique fingerprint, using which you cannot get back the original string. However, the algorithm generates exactly the same unique fingerprint for that string. This way, one can be sure that no one has tampered with information in transit.

Next, C does base64 encoding on the policy, say it results in ‘AB133444CDFDAAABC37122’. After this, C will generate a signed URL, 

http://mydomain.com/abc.mp4?policy= Allow_access_to_abc.mp4_18_00_hrs_only_once&hash=123kffsfsfg#$&signature=uuffaffgfgf

At the server side, S receives the URL, verifies the signature using the public key. S is assured that it is C who signed the hash. Then, S base64 decodes the policy and generates the hash, which in this case will result 123kffsfsfg#$. S matches the generated hash with the hash value sent as parameter in signed URL. Match is positive, S understands that no one has tampered the policy in the transit and interprets the policy and decides the nature of access. S expires the URL after some time and denies repeated unauthorized access.

Comments

Post a Comment

Thanks for your comments.

Popular posts from this blog

Key to adopt open source product

Friends, I am working on business solution implementation on open source product called Kaltura. Kaltura is a media management solution and has loads of features that compel any business to take a peek into it. More-over this is the only complete end-to-end open source software available to handle digital assets. But it comes with its own head ache. Considering its open source, its understandable. I feel, handling these would ensure you the success in your open source product implementation. 1. In my opinion, before adopting any open source software, build the capability to deal with the inconsistency bundled in the open source software. 2. I would avoid involving external consultants for 2 reasons.      a. I am not sure, they would bring necessary expertise on to table      b. I fear that there would be little ownership, they will not see big picture of my business (neither I am interested to share it all) 3. Alternative to that is to build the tea...
1 comment
Read more

Socialism Vs Capitalism

I was discussing sociallism vs capitalism with my father, who is a retired economics professor. Found some interesting facts ... Sharing them ... Socialism believes in distributing wealth equally. For example: If there is INR 10000 and 10 people in the pool, every one gets INR 1000. Wow, that sounds great in a diversified society like ours. Will this work? My take is NO. Because, the focus is only on sharing the wealth. If every one gets equal share, high acheiver will downgrade himself or herself and low acheivers will still downgrade themselves. This is a chain reaction and will reach a point where you will not have anything to distribute. The opposite side is 'Capitalism' where only the acheiver gets the rewards for his or her efforts. India adopts hybrid policy of Socialism and Capitalism, where the distribution of wealth happens through public sector enterprises and wealth creation happens through private sectors. The policies will be made in such a way that private se...
1 comment
Read more

Plan your hosting options - CIR or Monthly transfer?

This blog provides an insight to plan your hosting options. Calculating CIR What is CIR? In simple terms, it is the quantity of bandwidth measured as Committed Information Rate in megabits. CIR allows you to channel as much web traffic as possible within a given bandwidth. CIR calculation will help you to model your deployment option, whether to avail hosted model, or host the application in one's own dedicated server, or avail hosting provider service for monthly transfer or avail hosting provider service in pro-rata basis. What are the important parameters one needs to consider? One important parameter is, total number of simultaneous sessions that your web application is expecting. With this value, we can derive certain other parameters that would help us in arriving at CIR. Do not mean that simultaneous sessions imply simultaneous connections. This only means that, if we assume each session represents one user, we have that many users using the application at any gi...
Post a Comment
Read more