Hi all,
I'm looking for a self-hostable web gallery software for my family photos. Most important criteria is that photos are secure and cannot be viewed by others, only by my family members and friends we give accounts to.
I tried a lot of different software and found now Piwigo which seems to be my favorite until now, however, after installing it I checked some security stuff and found out that all photos including private ones are publicly accessible if people know the URL.
For me this is an unacceptable privacy issue and security risk, as the reason why I don't want to post my all my family photos on Facebook is exactly because I don't want that other people can see then and/or a company which runs the site uses it for other purposes like Facebook does.
I have googled now a little and found 2 threads in this forums which discuss this topic. So my question is now is this still a low priority feature, are there some implementations planned, or is there even a temporary workaround available? E.g. storing photos in not web accessibly directories like you can do in "Gallery"?
If there is nothing in place, maybe anyone can recommend another alternative which does not have this limitation? I know that the possibility that someone finds the URL is low, but this is internet and nobody knows :) And I simply don't want that this possibility exists and taking the risk into account.
Thanks for your help in advance.
Well if your read the other thread you understood that is difficult technically (and generates high server load for big galleries)
There are many ways to achieve that but any of them if suitable for all servers.
As you said if nobody in your family give the URL there is no chance someone find it by itself (there is a random string in filename if photos are uploaded through the web-form or any remote application).
So yes : it's a low priority feature, Piwigo needs many more usefull improvements.
About a more secure solution I don't know any, even on Facebook/Google+, totally privates photos are visible by direct link access.
Offline
I know an another alternative, but I don't recommend it.
Gallery3 is secure, using .htaccess for every picture access.
I hope, that piwigo will be changed. The feature can be optional for all people who need it.
Offline
mistic100 wrote:
if nobody in your family give the URL there is no chance someone find it by itself (there is a random string in filename if photos are uploaded through the web-form or any remote application).
But if someone post the URL on a website, the picture will be public and it can be indexed by google and other search machines.
Is there a function to change the filename for all photos with a new random string?
This can help to reduce the risk.
Offline
Kalle,
Here is a direct link to a 'Small' image created for a gallery in Piwigo.
http://remotetutorials.com/photos/_data … 693-sm.jpg
Try accessing it and you will be asked to login. Login using the e-mail address kalle@ukf.com and password letmein.
When you log in you will go to the gallery main page and you should now be able to view the gallery.
o log out, you go to this page at any time, and you will no longer have access to the gallery.
http://remotetutorials.com/phpmembers/
What I have done is blocked access to the gallery and subdirectories which can only be accessed by registered users - not Piwigo registered users, but people registered in another way using a 'protection' package.
Is that the sort of thing you want?
Last edited by pewe (2013-01-24 20:07:44)
Offline
Yes, that is what i want, but i need to compatibility to the community plugin, the Icy Modify Picture plugin and UserAdvManager plugin.
Offline
That should not be a problem.
The 'protection' is at the main Piwigo root directory level, and once the authorised user is logged in a cookie is set to allow continued access to the directory until they log out.
Once they have access to the Piwigo main page, they then need to 'register' as a user in Piwigo as would be the case if the 'protection' was not there and you administer them as users in Piwigo in the normal way..
All plug-ins should work as if there was no protection - once they are logged in.
You can download the protection script and try it.
It is here
http://www.phpmembers.com/download.html
take the free version.
Installation instructions are here
http://www.phpmembers.com/installation-guide.html
If you install it to its own directory, it cannot 'break' your Piwigo installation as setting up protection simply puts a configured .htaccess file in the protected directory (in this case the Piwigo root folder) to prevent access to the pages in the directory except to authorised users.
You can remove the protection either using the software admin, or by using fp to delete the .htaccess file it creates.
Offline
Hi:
On piwigo 2.4.7.
I have the images on www out folder, but a disconnected user (and $conf['guest_access'] = false;), this url:
http://localhost/piwigo/i.php?/../image/test.JPG
show the image from album protected!
I think that "i.php" should detect if the user is connected
This (with "i.php"):
http://localhost/piwigo/i.php?/../image/test.JPG
Notice that not is a direct URL.
Thanks.
Offline
As we already answer
*phpmembers can be bypassed by a simple cookie (but we might use the same system to avoid stupid newbies posting private images)
*currently and on my knowledge only G3 offers such a full protection. We don't do this because: that's so heavy for the server, and depend a lot on server specs/settings. And it's heavy for the user because -when I tested- the user was disconnected soo many times during the visit
*even massive website like Fb or Google doesn't have such a protection: that's not a reason but that's a prove that's not obvious at all
Edit: my advice
Upgrade to 2.5 and set
$conf['original_url_protection'] = 'images';
Then use watermarks and/or don't set too large image size
Offline
Upgrade to 2.5 and set
$conf['original_url_protection'] = 'images';
I see in the config.default file it says
// one of '', 'images', 'all'
//TODO: Put this in admin and also manage .htaccess in #sites and upload folders
$conf['original_url_protection'] = '';
When I do this, .htaccess does not appear in the upload folder, and originals are still accessible - so it does not seem to be implemented yet.
I am using Piwigo 2.5.0RC1.
Last edited by pewe (2013-03-01 03:43:13)
Offline
Hi:
I can set the path to the folder "_data" outside www?
Last edited by damufo (2013-03-01 15:11:09)
Offline
In the config file it shows
Lines 714 -722:
// the local data directory is used to store data such as compiled templates,
// plugin variables, combined css/javascript or resized images. Beware of
// mandatory trailing slash.
$conf['data_location'] = '_data/';
// where should the API/UploadForm add photos? This path must be relative to
// the Piwigo installation directory (but can be outside, as long as it's
// reachable from your webserver).
$conf['upload_dir'] = './upload';
So you should be able to change its location in the Localfiles Editor by adding something like
$conf['data_location'] = 'new path/_data/';
Offline
flop25 wrote:
*currently and on my knowledge only G3 offers such a full protection. We don't do this because: that's so heavy for the server, and depend a lot on server specs/settings. And it's heavy for the user because -when I tested- the user was disconnected soo many times during the visit
*even massive website like Fb or Google doesn't have such a protection: that's not a reason but that's a prove that's not obvious at all
Don't compare to Fb or Google please, they are commercial and does not have priority on security and privacy.
Offline
In "include/config_default.inc.php"
$conf['data_location'] = '../../_data/';
This not work when "_data" folder is out www.
The problem is that the thumbnails and photo medium size for synchonized albums are saved in "_data" folder and "_data" is public.
http://loclahost/piwigo/_data/syncfolder/image.jpg
I´d like can set the folder for thumbnails and medium photo size in out www.
Is possible?
I´d like this:
/home/user/public_html/piwigo/_data/synchro_folder...
for
/home/user/_data/synchro_folder
or
/home/user/synchro_folder
Offline
mistic100 wrote:
Well if your read the other thread you understood that is difficult technically (and generates high server load for big galleries)
There are many ways to achieve that but any of them if suitable for all servers.
As you said if nobody in your family give the URL there is no chance someone find it by itself (there is a random string in filename if photos are uploaded through the web-form or any remote application).
Could we talk a little about that "random string in filename"? I could have sworn I used the regular uploader (maybe not), but my main gallery is using image URLs without that random string.
Do non-virtual albums mean that the names will never be randomized? Is the protection of hashed/randomized names something we give up if we populate albums via ftp?
On a related note, the security of this technique interested me, and I found the following response on Quora from a purported Facebook developer about how their CDN considers direct URLs:
Peter Ruibal, Software Engineer, Facebook CDN
Thanks for asking this question. Our whitehat queue gets so many questions that sometimes we don't explain in enough detail. Hopefully this discussion can help serve as an FAQ.
Those additional portions of the image url you mention *are* the authentication for the image. They don't authenticate you but instead authenticate that the url was originally served from Facebook where it was subject to privacy checks. Privacy checks on Facebook only serve the full image url to people you've specified. Essentially, the facebook.com portion of the site uses an Access control list security model while the CDN portion of the site uses a Capability-based security model. Once your friends have the photo, they can save a copy of the photo itself and share that or share the full image url with others -- the two are equivalent for most purposes. I trust my friends to do reasonable things.
You're right that sometimes one of your friends might inadvertently leak the photo fbid without leaking the full image url (e.g., forwarding the page (not image) url not realizing the recipient cannot see the photo). Even with the photo fbid, you have to brute force the remaining portion of the url. That remaining portion has 2**45 combinations that needs to be guessed correctly (that's 35,184,372,088,832 possible values). In the far more common case where someone hasn't leaked the photo fbid, there's many, many more combinations (the photo fbid is a 64-bit number, but because it's not totally random, it adds less than 64 bits of randomness). Also, we just finished a major data migration, so that third field will soon be 63 bits on new photos rather than 31.
Insecure networks and proxies are important but orthogonal to this question about CDN urls. It's definitely worth verifying that you're using https to avoid insecure networks. Most Facebook users are using https, but you can check your "Secure Browsing" settings at https://www.facebook.com/setting...
So why use Akamai or a CDN at all? Why not just serve photos directly from Facebook's servers where they're stored? CDN caches are installed in ISPs' networks close to you so the bandwidth stays local to your ISP and you get the content faster. ISPs can't handle installing separate servers for every popular web site. Instead, they just work with a handful of well-known CDN providers -- and occasionally big companies building their own CDNs.
Frankly it still strikes me as a little crazy security-through-obscurity to never have images really private, even with all the native user management controls in place, but I begin to understand it.