Tips on protecting eGoods

Jon · #11 11-16-2006, 07:04 AM

Yes I mean "above" public_html. So if your path was:
/home/httpd/domain.com/public_html/

You would store the files in:
/home/httpd/domain.com/files/

You'd have to set permissions, change the listed file locations in x-cart, and maybe a few other server configurations for access, but I couldn't say for sure without trying it on your server and making changes until it works.

Warwick · #12 11-16-2006, 07:18 AM

Quote:

Originally Posted by Jon

Yes I mean "above" public_html. So if your path was:
/home/httpd/domain.com/public_html/

You would store the files in:
/home/httpd/domain.com/files/

You'd have to set permissions, change the listed file locations in x-cart, and maybe a few other server configurations for access, but I couldn't say for sure without trying it on your server and making changes until it works.

I see what you mean, I just don't understand it ...

... a bit too technical for me and do you think it is worth the trouble? Do you or somebody else have any experience with this i.e has implemented this to protect egoods?

Jon · #13 11-16-2006, 07:21 AM

It is the ideal method but just putting them in a folder above public_html i.e. /home/httpd/domain.com/public_html/store/files/ will work if you have an .htaccess file in it denying access to the files. It's just a bit less secure because the .htaccess could get overwritten or deleted, etc., opening up the files.

Warwick · #14 11-16-2006, 07:30 AM

Quote:

Originally Posted by Jon

It is the ideal method but just putting them in a folder above public_html i.e. /home/httpd/domain.com/public_html/store/files/ will work if you have an .htaccess file in it denying access to the files. It's just a bit less secure because the .htaccess could get overwritten or deleted, etc., opening up the files.

At this moment when you try to acces my 'http://www.mydomain.com/store/files' it's asking to login to my cpanel which -after me loggin in succesfully- results in a 403 forbidden page error ... secure enough?

Jon · #15 11-16-2006, 07:35 AM

^ Yep.

Warwick · #16 11-16-2006, 07:41 AM

Thanks for the help Jon

carpeperdiem · #17 11-17-2006, 05:10 AM

The reason you want your files under the hood: in case someone or something breaks your htaccess, you still have one line of defense, as it is impossible to get to the goods without a serious breach of server security.

I had a store selling digital goods many years ago (no longer in that business) and we shut down for 3 reasons:

1. our goods were posted to warez sites almost immediately;
2. our site was used by criminals to test credit card numbers -- they never downloaded product... they were simply trying to validate their stolen credit card numbers, then went on to steal from others... the FBI told me this was quite common -- that digital goods stores were used for this;
3. chasing the bad guys became our primary focus, not developing new content

So I shut it down. I licensed the content to another company, and now it's their problem.

Yes, there are better technologies in place today, but short of copy-protecting your goods (serial numbers, dongle, install codes), the server level protections are worthless, if you ask me.

Your products (if popular) will be kracked and uploaded somewhere if not protected.

The idea of restircitng IPs is good. Tracking downloads, etc... all good... BUT if the content is unlocked, you're open to exploitation from the bad guys.

Yeah, I'm angry that these crooks forced me out of business.....

Had I copy protected the content, I'd have had half a chance, as my traffic was substantial. But chargebacks, theft and fraud consumed me and my guys.

Yes, I blocked entire countries and range of IPs. But these crooks would get around that. They had CVV2 codes, exact billing name/address, etc...

Copy-protect your content!!!!!! Don't rely on servers or IP addresses... the honest customer will understand.

PS -- the alternative to copy protection is to NOT provide instant access to the egoods. Don't enable auto-capture... spend time and money manually verifying each transaction... then your anti-fraud processes will work. Unfortunately, if your product costs $15, you can't do that and stay in business.

Warwick · #18 11-17-2006, 05:44 AM

Great feedback carpeperdiem, very useful! I've send you a PM

wjbrewer · #19 11-17-2006, 08:33 AM

Quote:

Originally Posted by carpeperdiem

Yes, there are better technologies in place today, but short of copy-protecting your goods (serial numbers, dongle, install codes), the server level protections are worthless, if you ask me.

Because serials, dongles, and install codes have never been cracked?