Web3D Security Discussion
 More of this Feature
• Part 2: Sandy says...
 Join The Discussion
"web3d modeling (e-commerce)..."
 Related Resources
• Tutorials
• Web3D Technologies
 From Other Guides
• JavaScript
• Graphics Software

Dateline: January 24, 2001

Every few months on the "big" VRML discussion list (www-vrml@web3d.org) someone brings up the question, "Can I create content that is secure?" and the resulting answers brings forth a religious stream of verbiage. I'd like this article to be a fair presentation of the issues and views of people on both sides of the arguments. I'll present slightly edited versions of posts (edited only for clarity and presentation) and conclude with some suggestions that might lead us toward solutions that might make some progress.

I'd also like to thanks all of the participants for allowing republication of their posts. In addition it should be noted that all of the participants are speaking only for themselves not for any of their employers.

The latest round was sparked by:

At 05:18 PM 1/24/01 +0100, Jan-Olof Janson wrote:

Is it possible to protect VRML files from being edited but still being able to being viewed in the VRML browsers (In the gzip compression maybe?)? I there any "obfuscated" method that generate VRML code that can't be structured by any automatic optimiser?
// Best Regards Jan-Olof Janson, Dynagraph

To which Cindy Ballreich replied:

Jan-Olof, Not only is security not currently possible, It's unlikely to be available anytime in the future. Many people feel that mild security is not useful and unless complete, unbreakable, perfect security can be achieved that we shouldn't even try. Others believe that security is unethical and all VRML files should be accessible to anyone who wishes to view or edit the source.

This discussion always turns to methods of supporting copyright law (such as watermarking). The primary issue is that an open standard (especially one with open-source implementations) means that a determined cracker with the right skills has access to source code and will always be able to get to the data. The text based nature of the basic VRML/X3D file adds to this problem.

My opinion (stated many times here) is that the lack of even mild security has hurt VRML in the past and will continue to do so in the future. I believe it's a factor in the success of some of the proprietary web3d technologies. I'm sorry this hasn't received more attention, but perhaps there's no point. Cindy

CKS responds: There's no point in trying to come up with a purely technological solution, but I wouldn't argue with the importance of discussing the issue.

For instance: what exactly are customers looking to protect. Content, right. And they don't want people to pirate it. But that's not specific enough:

- Does the content have a lifetime? The Superbowl video-feed is worth a lot more during the game than after the game, for example. Copying after-the-fact isn't so much of an issue.

- If the content contains built-in ads (like TV), then the more piracy, the merrier. Any viewer is a good viewer.

- If, like DirectTV, you resell content for money, then you end up with very, very expensive custom hardware. You've got to do this, even if you know it won't always work, because it's your only revenue stream. And you've got a neverending and very expensive battle with the crackers to content with.

- If, like movie studios, you depend on reselling content for long periods of time to great numbers of people, then you end up with things like special edition packages of Gone With The Wind. Everybody already has it on tape, but not everybody has the book + special interviews. (We actually bought one)

- Music videos are so hip they have a lifetime of only a couple of weeks. There's not much time for widescale pirating and distribution.

- Large scale commercial pirating operations are the target of massive international law-enforcement efforts.

- Etc, etc, etc.

In other words, it's not that copyright protection isn't important, it's that there's no silver-bullet technology that will solve the problems. The moral objections come up when copyright holders push for draconian laws that infringe on the rights of everyone in a misguided attempt to exert an impossible level of control. That harms everybody in the long run, including the content producers...


Andy Best chimed in with: I believe it is very important for the large scale commercial development of virtual worlds. If there is no solution on the horizon this will be one factor forcing us to look at other technologies. Some type of author key connected to a particular viewer might be a possibility, although of course by necessity destroying the ability to use different plugins to view the content. - andy --------- andy best co-founder & chief creative officer MEET Factory OY
Clayton C. says: ok so what i see here is:

a) a security paradigm is needed

b) it must be global enough to encapsulate any size of project

c) it wont make vrml a binary format {oh where has the vrml-cbf workgroup gone? }

d) must be able to be on any platform and viewer {conformance}

e) it must be granular enough to protect certain objects while other ones can go right on through

so why not {psuedo code}
SecureTransForm {
acl_passwordfile "level5"
requires valid-user
encrypt_type BlowFish

it seems to me any browser could use this sort of way of providing the encrypt mech so objects could be encrypted

only ones in the securetransfomr would need to be processed like this

of course the main file would contain the encrypt type not good wouldnt need it if everyone used the same one which would be better overall for conformance anywho

which encrypt modules work on all plats & in multiple languages

Oliver Mellet from openworlds adds: We (http://www.openworlds.com) have had similar requests from our customers regarding the integrity of the content that they create, and they generally fall into two broad categories: 1. How can we protect our content from manipulation by third parties? 2. How can we ensure that our content will not be pirated? The first issue is easier to address, using some sort of open checksum system or digital signature system. The second point is considerably more complex, because, as someone pointed out earlier, at some point the data has to be rendered, and is therefore susceptible to piracy. However, any system that seeks to completely eliminate the possibility of piracy is doomed to failure (CSS, SDMI, MacroVision, etc...) for precisely the same reason. So, our goal would be to make it as difficult as possible to intercept and reverse engineer content, eliminating all but the most determined pirates. Having said this, we also don't want to speak for our customers, so we'd like to hear from content creators/providers about what they would find useful. Thanks, Oliver Mellet oliver@openworlds.com
Cindy says: This response is typical of the many discussions we've had on this subject.

A group of potential users with real projects comes to this community with a list of issues and requirements for meeting them. The community's response is that the issues aren't real. This is the wrong answer. There is a profound lack of understanding in this community of the issues surrounding the commercial use of 3D technology on the web. Projects are being lost to other technologies or lost altogether because of these issues. Denying the they exist will not change that. If this community doesn't wish to address these issues (because it doesn't like them, or it doesn't believe them, or whatever reason) it has every right to ignore them. But don't insult the professionals that are coming here asking these questions by telling them that their problems aren't real.

The Facts:

  1. Your concerns and the concerns of your clients are real.
  2. There is no prefect security. If someone (like Christopher) wants to apply enough effort, any security you use will be broken. (But you already knew that, didn't you.) Confidential information should *never* be placed on the web - in any format.
  3. Open Standard/Open Source solutions (like VRML/X3D) will probably not be able to provide the degree of security that you or your clients are asking for. There are too many opportunities for people to take advantage of easily available information to break the security.
  4. Proprietary solutions *may* be able to provide you with enough security to meet your needs. Ask lot's of questions, and question the answers.

Len says:

I guess it is not that the issues don't exist, but that the answers always depend on the requirements as stated. The facts you present are facts. The means depend on the level of protection required (none all the way to abstinence).

Again, a variety of means is applied to open formats:

  1. No protection
  2. Zipping.
  3. No zipping and copyrights in place.,
  4. Zipping and copyrights in place.
  5. Encryption
  6. Binary
  7. Digital signatures (similar to restricted access)
  8. Restricted access and rights to access and redistribution clearly stated.

Any others?

There are also combinations of the above. Complete security is abstinence. After that, only in a closed room and shoot your partner afterwards. On and on, but it comes down to the extent to which one must go to protect that which they want to protect. The means are there. The only agreed on means at this time for VRML is zipping.

Umm... these are pretty much the same answers we've seen in past discussions. Are there new requirements or are customers unhappy with the answers? The binary seems to me to be the only thing VRML doesn't enable. Are you asking for a binary?

Len clbullar@ingr.com

Next page > Sandy says... > Page 1, 2

[Tutorials] [Web3D Technology Comparison] [Virtual Humans]
[Virtual Reality] [Art] [People of Web3D]
[Panoramic Imaging] [FAQs] [Companies]