Is there any way to make image uploads private?

I was surprised to find out that uploaded images have public URLs that are visible to the entire internet. Is there any way to limit images to only be available while logged in? One of the biggest reasons I wanted diaspora was as a way to share pictures of my kids without putting them on the open web, but that seems to not be possible with diaspora.

I know I can use something like Mega and share the password via diaspora, but I don’t want my friends and family to have to open a different page and enter a password to see my pictures. I don’t think I can convince them to switch if it’s not convenient.

I run my own pod, so I’d even be okay with just limiting it to any logged in user, but it would be great if it could be limited to specific aspects too. Maybe there is a way to do this that I haven’t discovered.

There is not.

You can limit who can see your posts, and you should do that. Image URLs can’t really be guessed, so just discovering them without having access to the post is unrealistic. There is no point in somehow artificially “protecting” the image files themselves; the people you share the post with can save/reupload/screenshot/… the picture anyway if they want to share it without your permission. Technology can’t enforce social contracts, unfortunately.

“Contents visible to all of diaspora*, but only logged in people” is also not a realistic thing. See this article for the reasoning.

Thank you for the explanation.

Personally I’m not super comfortable with that. I think I will have to look into other applications. For example Friendica appears to have this protection, at least from what I can tell.

It might be more emotion than pure logic, but I just can’t shake how uncomfortable that makes me. The only thing protecting the image is that no one knows what it’s called. I’m sure a bot could be made to take guesses.

And obviously a bot can guess your password too, but passwords can (and should) be changed. With this, once the image is up, it’s “password” isn’t going to change unless you delete it and re-upload it. So there’s no time limit on guessing the password. And there’s no access control like with a login where you can limit attempts after some number of failures.

Even Facebook, Twitter, Google, etc “artificially” protect uploads this way. It just feels super wrong to have those uploads publicly visible, regardless of how hard they are to “find”. I don’t think I can make peace with it even if statistically and technologically it would be okay. To me, it’s wrong on principle.

Thank you for your time, I really appreciate it.

The prefix of each image URL is a 10-char hexdigit string unique to each photo and generated by a secure random number generator. “Take guesses” at 160 bit of randomness would be a giant undertaking - your family photos are not worth that effort for anybody. You could even tell your http server to rate-limit on 404s, but that’s quite frankly not needed in any realistic scenario.

They do not. This is an URL to an image I just uploaded to Facebook, set to “only visible to me”. Now, that link will probably expire in an hour or so - but that does not change the fact that you can very much just grab the URL and share it someone. Or, you know, just download it with a different IP and a different user agent:

Screenshot 2021-02-11 at 05.23.131140×834 228 KB

That’s fine. To me, providing people with a false sense of security is wrong on principle. We’d rather be honest and not build sand castles while telling people they’re buying a house made of concrete.

Good luck with other pieces of software, though. There’s a lot to explore out there, I hope you’ll find something that fits your needs.

I wish I had your confidence. I might have to think about it some more.

It doesn’t seem artificial to me. You’re not making a guarantee that the image can’t be shared, but I think that users would be surprised to find their images can be accessed without logging in. If you limit access without changing the UI, users aren’t being given any more false security than they may have already assumed they have.

What about packet sniffers? I suppose with HTTPS the request should be encrypted, you would only get the domain.

I really like the project. I want to be comfortable with it. But this is hard bridge for me to cross. I guess what makes me the most uncomfortable is that it feels so permanent. A password can be changed if you think you’re compromised. This can’t be, unless you want to remove and re-upload everything.

Thanks for putting up with me.

I thought about this too as well. So far my conclusion is that the only realistic way to leak photos is getting your browser/computer compromised so these URLs might be intercepted directly or from browser cache somewhere.

Packet sniffing won’t work with HTTPS and if for some reason it does then you are in far bigger trouble as they can just grab your credentials and have access to everything.

There are other platforms that support what you want (e.g. Friendica) but it doesn’t come without problems. Basically it works reliably only when everyone is on the same server. It kind of works with other Friendica servers and it completely doesn’t work with any other platform. And since the most people want to share with people on other servers it is major drawback. But it can work for you if you plan to have your family on the same server.

I still don’t think the way Diaspora (and pretty much everyone else) handles photos is any kind of vulnerability. The only scenario when I can see it coming to your disadvantage is this: you make limited post with really really sensitive image and then someone you shared the post with can use this link in abuse report or legal complaint (say send it to your hosting provider) and the link will prove that you do in fact host forbidden content which is publicly accessible.

There is nothing I could say to make you more comfortable. We could spend all week long discussing why I am “right” and you are “wrong”, but the reality is that we’re both right, here.

This isn’t about any kind of technical issue that can be solved. This is about social norms and your personal feelings, and we can’t really argue about that. If you feel the need to use a platform that somehow protects images from being accessed directly via an URL, then you should look for a platform that does that. No point in using diaspora* if you’re not comfortable with it, there are many choices for you to make!

Quite honestly, I’m not confident in anything at all. I don’t even share private stuff on diaspora* (and I barely share any private stuff in any form online besides actually talking to people in voice chats etc). But everyone is different, and there never will be a “one size fits all” solution here.

For me personally, I found that no matter how many fancy tech I throw at enforcing privacy, the main “violations” happen far outside that realm. Not too long ago, I shared a video of me pulling an espresso shot with a family member. I uploaded that to my own webserver and sent a link, immediately deleting the video after it’s been viewed by the target person. Weeks later, I got pinged by another family member telling me I have a nice espresso machine - and I was confused. Turns out that all my technical methods mean absolutely nothing – the original recipient, without thinking, just long-pressed the video on their android screen, hit “share”, and dumped it straight into a whatsapp group that apparently parts of the family use. If your “data control” is ripped out of your hands that way, you realize that all the fancy tech doesn’t mean too much in the real world.