Home Type Business

Password protected zip-files

Jani PaavolaJani Paavola Posts: 43
in Type Business
I'm setting up a woocommerce website to sell fonts, and read about security of downloadable zip-files. Would creating password protected zip-files make any sense? The access code to the downloaded file could be sent within the confirmation mail. Pointless? Hassle? Good idea?

Comments

  • Scott BriggsScott Briggs Posts: 14
    I would be inclined to choose the middle option of the three.
    I guess though, it depends on what your overall goal of having a password-protected zip would be (as opposed to a non-password version).

    A thought I also just had: Once the files are unzipped, does that make the password then redundant to the protection? Ie someone unzips the files using the password, then send the unzipped font files to a colleague without the need for a password.

    I like the idea, just trying to figure out the reality of it.
  • James PuckettJames Puckett Posts: 1,970
    I don’t see how adding a password does anything but create an unnecessary step for the buyer to deal with. What are you expecting to accomplish by doing this?
  • Johannes NeumeierJohannes Neumeier Posts: 363
    If you are worried about direct access to the zip files on the server then WooCommerce solves that for you by sending customers links that will let them download the zip file but the physical zip file is not accessible publicly. Depending on what options you chose, the customers can, however, send that link forward to someone else, if the store is set to not require user accounts for accessing downloadable products.

    Rule of thumb: Don't make legit customers' lives more difficult in order to make the lives of bad actors more difficult.

  • Jani PaavolaJani Paavola Posts: 43
    Thanks for you output, and I guess I didn't explain my thoughts properly... My concern was the security of downloadable files of Woocommerce, and even if somebody would be able to download the font files without paying, they wouldn't be able to open zip-file without password.

    I suppose properly set .htaccess -files is needed to protect the files not to be stolen, if Woocommerce itself is not safe enough.
  • Johannes NeumeierJohannes Neumeier Posts: 363
    Yes, you can use htaccess files or even host the zip files "outside" the public web folder of your server to prevent direct access. When WooCommerce receives a request to a download link it will look up the order from the database, load the zip file from its secure location on the server and stream it to the customer to download it in their browser. The customer never sees the physical location of the file on the server.

    In terms of the password strength of zip files themselves you get decent protection against someone using methods to guess the password with brute force. The problem is that you have to get the password to your legitimate customer as well. If the assumption is that the access to the zip file is where security is compromised, it will be hard to argue sending a password over email or requiring the customer to log in at the website to access the password will increase your protection. If someone would have access to your server to get the zip files from there, they most likely also have gained access to your database or other location of your password storage.
  • JoyceKettererJoyceKetterer Posts: 792
    @Jani Paavola honestly, if your font is popular it will be available on pirate sites.  There's no way to make it secure from someone who is out to steal it. 

    That said, you want some level of security theater to signal to the customer that the fonts have value.  So the problem becomes logistical.  How can you get the most demonstrative impact with the least amount of friction?

    What we do is provide the zip via a download link they receive in the confirmation email (which is also their receipt) .  The link expires after 24 hours but we can always reactivate it for another 24 hours. 

    I get customers asking years later for the link to be refreshed... so I'd worry about a password for the zip from a support perspective as well.  What would you do when they need it again and can't find it?  Would you send another zip or would you have the password somewhere?  Is it a unique password (more work to retrieve) or not.  If not is it even worth any bother at all?
  • Alex VisiAlex Visi Posts: 185
    edited November 2020
    The only way to keep your work secure is to not publish it. So it might be more beneficial to focus on nice experience for people who want to buy your fonts, rather than on those who never will. And conscious pirates are unlikely to make any reasonable profit anyway, since $50 is not worth the risk of being sued.

    There’s also the opposite strategy, “flooding” the search with free trial versions — that somewhat helps against unconscious piracy. Customers will easily try your fonts and buy them, “bypassers” at least will know it’s not free and they should use something else, and pirates will have harder times finding the full versions.
  • Cristóbal HenestrosaCristóbal Henestrosa Posts: 69
    There’s also the opposite strategy, “flooding” the search with free trial versions — that somewhat helps against unconscious piracy. Customers will easily try your fonts and buy them, “bypassers” at least will know it’s not free and they should use something else, and pirates will have harder times finding the full versions.
    But then you must make an extra effort to make sure that the people will understand that it is a free trial version. If somehow they miss reading the warning, most likely they would start to think that it is actually the full version, and therefore discard to buy it because of its limitations.
  • Alex VisiAlex Visi Posts: 185
    But then you must make an extra effort to make sure that the people will understand that it is a free trial version. If somehow they miss reading the warning, most likely they would start to think that it is actually the full version, and therefore discard to buy it because of its limitations.
    Wouldn’t simply adding “Trial” or “Demo” to the file and menu names be enough for most of them? I guess the only people who can miss that are those who never thought of the concept of trial versions at all. Sure there are some!
  • JoyceKettererJoyceKetterer Posts: 792
    @Alex Visi No.  People don't pay attention.  That method leads to lots of violations and enforcement labor for the foundry.
Sign In or Register to comment.