Archive for October, 2013

How to defeat the Toronto Star paywall

October 7th, 2013

A paywall is like a firewall, except instead of stopping fires, it stops people who haven’t paid.

At least that’s what it’s supposed to do. So imagine my shock upon discovering — because I like to poke around in web technologies, it’s kind of my job — discovering that the Toronto Star’s newly enacted paywall is built around javascript technology.

Now, that might not mean much to most people, but when it comes to paywalls, this is the digital equivalent of leaving the key under the mat!

When you make a request for a webpage, by, say, typing a URL into your web browser, or clicking on any link in any page, that request gets sent to a web server somewhere. The server figures out what page to send you, and then the page appears in your web browser.

I think most people understand that, at some basic level. Few people believe the web pages are already all there inside their computer! (But some people do, oh yes.)

Javascript is not as well understood by most people. Javascript is a programming language that is used to make your web browser do stuff. So it’s not part of the web server, it’s part of your own computer, where the web browser resides.

And you can turn javascript off.

There-in lies the big snafu for the Toronto Star. I can’t be the first person to comment on this, but it’s so shocking, I had to write about it anyway. The Star has only made this move out of desperation due to falling revenues. This decision is a key part of their financial plan, otherwise they wouldn’t do it. That being the case, you’d think they would setup the security around it properly! You cannot use javascript as a reliable security mechanism, because it is essentially under the control of the users, not the web server. Security on the web must be enacted on the server. That’s the most fundamental principle of Internet security. The server should detect who you are, what you have rights for, and then only send you a page if you ought to have it. Instead, they’re sending everyone all the pages, and then asking javascript to disable the page after it’s landed in your web browser. Turn off javascript, and you’re left with the pages they send you, and no security mechanism concealing them!

Now, to be fair, trying to setup a paywall, without forcing all your users to login to your website, is basically impossible. That’s because there is no persistent, reliable way of identifying everyone visiting a website, unless you make them log in. (It’s a good thing too, because imagine if the Internet did provide a way of reliably identifying people visiting websites, without them logging in…the NSA and CSEC wouldn’t need to go to such lengths to spy on everyone.)

But even though it’s hard, if you’re going to bother to try and setup a paywall, and it’s a critical part of your financial plan, then wouldn’t you try harder?! At a technical level, what they’re doing is basically the equivalent of the honour system. What I really don’t understand is why the technical people involved didn’t explain the birds and the bees of Internet security to them. Or maybe the powers that be at The Star don’t care. But if this is their new way of saving their dying business model, how can they not care?