Major Overhaul Project (Security Notice)

32 posts / 0 new
Last post
puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

This notification is being sent to let you know that we are nearing the roll-out of some major changes that have been planned for a long while. These changes are much over due. There are several pieces to the first phase and there are multiple phases to this project. Please see this thread for more details and updates.

PROJECT

The overall goal of this project is to overcome several security issues that have been raised over the years. We have held off on making these changes for as long as possible, but rapid growth of our service (and therefore more attention from unscrupulous types) has forced us to finally implement them.

Initially, this project will affect ALL USERS as follows:

  1. The plan to eliminate multiple accounts will be deployed (Read more)
  2. Image requests sent to www.shrinktheweb.com will cease to work.
    All future requests will be required to go to images.shrinktheweb.com
  3. We will also be rolling out the new bandwidth upgrade option, which will most likely be called "Bandwidth PLUS" and most likely cost $9.95/month (Read more).

For all CURRENTLY PAYING users, the affects will be as such:

  1. There will be some new PRO features & enhancements to existing PRO features
  2. Any active ALL PRO customers will receive those features added at launch (no charge)

For all NON-PAYING users, the affects will be as such:

  1. All code used by non-paying users will need to be updated
  2. The code update will allow us to more securely control link destination for safety of web surfers
  3. The code update also allows us to show a preview page to web surfers for verification

This project will be rolled out in the following phases:

Phase 1
Basic users will be required to update their code to address security concerns. This will take care of concerns that some publishers do not link to the actual site being shown in the website screenshot. This will also provide a second layer of security by showing a verification landing page to web surfers. This will help curb reports of unethical uses of our service and better protects end-users / web-surfers.

All users will be required to enter in at least one(1) website/IP to gain access to the system. Any "Bandwidth PLUS" customer will have the ability to add a virtually unlimited number of domains. No accounts will be allowed to use the same domain as another account and any existing accounts found in violation of our multiple accounts policy will be BANNED FOR LIFE.

The new bandwidth upgrade ("Bandwidth PLUS") will become available and new PRO feature customers will not receive any bandwidth limit increases as a bonus with the purchase. Instead, ALL bandwidth increases will come from bandwidth-related upgrades and PRO features will be completely separate. Any existing PRO customers will have the following options:

  1. Keep all of the PRO features and limits AS-IS; no changes to billing or services
  2. Trade a PRO feature in for the "Bandwidth PLUS" upgrade (adds shared generator access)
  3. Upgrade to "Bandwidth PLUS" and get an additional bonus (adds shared generator access)

Phase 2
The second phase specifics of this project will remain under wraps for now. We do not want to announce it until we are much closer to deployment.

Phase 3
The third phase specifics of this project have yet to be decided and will be announced at the proper time. Generally speaking, though, this phase will include new PRO features and a couple of existing PRO feature enhancements. We also hope to include some updated "sample code" that is more functional and provides added support.

Fedge (not verified)

It's been a slice. My Web site IS the midpoint jump and layer of "security" for people coming off of Facebook to have a look at where they are going before they actually go there (among other things). That's why it has screen shots. Putting an additional page would be making users do 3 clicks to get from the Facebook news feed to the actual page in question and completely overboard. Thanks for providing the good service while it lasted. I'm sure you are completely overrun by spammers and bandwidth thieves and I can't blame you for cracking down. Unfortunately these are breaking changes for my traffic flow.

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

I hear you. While it may be a deal-breaker for some, the minute details on how it will be implemented have yet to be announced. That said, there is a simple way that end-users can disable the preview page but they have to take the action of clicking a link while viewing the preview page. That opt-out is enough for us to know that they don't need the preview and we won't show it to that user again. For sites with lots of repeat visitors, that should alleviate the "unnecessary" preview page for users that already trust your site.

So, part of the purpose for announcing this before launch is so that you can prepare your visitors for the changes, assuming that you stay a free customer of ours. If you upgrade at any point, then you would have the option to show or not to show.

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

Here's a quick FAQ I made that shows what the first version of the verification page will look like: STW Preview Verification Page

The "required lock to account" will go into effect on March 26th.

The preview page will probably launch on the same day (to be announced/confirmed), provided that I can find time to overhaul all of the sample links and sample code.

debbrancheau (not verified)

When do we change our code?

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

We will announce separately when the code change for basic users is ready to be implemented.

For PRO customers, the change from www.shrinktheweb.com to images.shrinktheweb.com needs to have been completed already (or as soon as possible to avoid service interruption).

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

Just a quick update on Phase 1 of this Project:

BACKGROUND
We have a "Lock to Account" feature that will deny any requests from URLs/IPs that you do not list. That has worked very well, for years, to keep dishonest webmasters from stealing credentials, but we are being forced to go a step further by requiring all non-paying accounts to use this feature now. It is necessary in order to guarantee that multiple accounts are not used to steal our own bandwidth. That said, we realize that some users will need more than the currently supported maximum of five(5) referrers. I was always reluctant to implement unlimited referrers because I wasn't sure if the "elegant solution" would be less efficient than just supporting a few referrers.

SUMMARY
I have managed to get the unlimited referrer support working and will begin migrating all listed, allowed referrers to the new method. Once complete, I will begin to enforce the "Lock to Account" for all non-paying users.

An email will be sent to those that have NO referrers listed, so that they have a week to enter at least one(1) referrer into the system. Failure to do so before the change will result in service disruption (i.e. will show "Account Problem").

GEEK-SPEAK
In testing, it appears that by using best practices (i.e. separating the text field type into a separate table), the time it takes to scan 5 items in "unlimited" support is roughly equivalent to scanning five(5) separate database columns in the primary user field. In cases with fewer than five(5) referrers, it appears to be faster.

In either case, the time is negligible.

For those rare cases where the user has many referrers listed, the delay should still be tolerable and worth having the added security. Paying customers will have the option to disable the "Lock to Account" feature, if they prefer. This is especially helpful when using the "Advanced API" method, because no one would be able to steal your service without knowing your "secret key" credential, which you are able to change if you suspect that it has been compromised.

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

To avoid confusion, I have been asked to make a note here:

1. By enabling the "Lock to Account" feature, you are basically denying anyone else the ability to steal your credentials for their site/app.

2. Any domains/IPs that you list in the "Allowed Referrers" box will be the ONLY domains/IPs that will be allowed to make requests using your credentials (when "Lock to Account") is enabled.

So, basically, if you put in your domain (domain.tld) or IP, enable "Lock to Account" and then see that everything is working fine on your site/app; then that's great. It means it is working and you have most likely entered everything correctly.

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

Ok. After 16 hours of working today, I am ready to launch the "Required Lock to Account" feature. I will be going live with the changes in the next hour, because I do not foresee any impact (due to extensive testing). However, I have decided not to "enforce" the change until Saturday night, March 26th at 11:59pm ET.

Until then, there should be no interruption in service, even though the system will technically be running on the new code (just not enforced).

However, several hundred accounts were found to be duplicate accounts and have been BANNED FOR LIFE. So those will no longer work. If you are the owner of one of these accounts, please do not bother contacting us. You will need to find another screenshot provider. Best of luck to ya.
Smile

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

I have finished testing the new delivery code that is based on "unlimited referrers" support and it appears to be working well. In the next few minutes (3:00pm ET), I will be taking the system offline to implement the changes, which should have no negative impact. If there is any problem, then I will quickly revert back to the old code and troubleshoot the new code.

I will update again once I confirm that all should be working as expected.

puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

It appears that the world is not ended, so the update looks to be OK.

This was a major change and took awhile to test once LIVE, because there was a problem with the test account that was making the update look broken. However, once that was fixed, everything tested fine. There is still one lingering problem but it only shows on a feature that has not yet been released (part of Phase 1 of this Project) and that issue should not be seen by any current users.

As always, though, if you see any strange behavior, do let us know. Once the issue with the new feature is resolved, we will run through the tests again to be sure there are no negative affects from this new delivery code. If not, then we are on-track to lock down all non-paying users next Saturday night March 26th at 11:59pm ET. That will be the end of multiple accounts, of which many have already been permanently banned.

ShrinkTheWeb® (About STW) is another innovation by Neosys Consulting
Contact Us | PagePix Benefits | Learn More | STW Forums | Our Partners | Privacy Policy | Terms of Use

©2017 ShrinkTheWeb. All rights reserved. ShrinkTheWeb is a registered trademark of ShrinkTheWeb.