Dealing w/ Copying of Online Articles via Open Proxies?

Creosote asks: "Concerns about piracy are no longer just for the big commercial media outfits. JSTOR, one of the major repositories and distributors of online versions of scholarly journals, has been hit by crackers taking advantage of open proxy servers to download about 51,000 articles from 11 JSTOR journals. Even nonprofit academic publishers rely on income from publications to exist, so the spectre of large-scale unauthorized copying is legitimately scary to them. In a letter to librarians and publishers, the president of JSTOR notes that while the "threat of open proxies has been recognized for some time in the web community...it does not appear that network administrators, librarians, or content providers are aware that organized efforts are being employed to gain unauthorized access to restricted campus resources" through them. I work for a nonprofit publisher (a university press) that will soon be making peer-reviewed digital projects available online, and they can't all be given away for free, so this hits close to home. Are there better solutions than turning into an attack dog, ala the RIAA and the MPAA?"

Secure the origin server properly.

[lifeless]

I'm not sure where focus on IP address issues has come from... but RFC 2616 and RFC 2617 explicitly discuss secure access to WWW entities, and IP address's are not the key.

IP address restrictions are of only limited use, due to HTTP's stateless behaviour. As I've noted in another post, chains of proxies will quickly eliminate any IP based restrictions.

Some steps that JSTOR could take include adding cache-control headers (must-revalidate comes to mind) to prevent cache hits occuring without the JSTOR servers knowledge, and thus allow them to perform partial validation on the actual client (i.e. by checking the Via header). Note that checking the Via header is less-than-secure, but better than simply trusting the customers proxy to be secure.

Secondly, use authentication - assign a username and password to the content, using (say) Digest authentication, which is proxy friendly. Mark the content as explicitly cachable with revalidation, and you will get 1 If-Modified-Since request per download from proxies, and be able to check the user details each time. There would be an administrative issue with this, but I'll leave creative approachs to that as an exercise.

Re:Check all allowed IPs from open proxies

[aminorex]

Open proxies are crucial to the survival of political
freedom.
It's just a wrong-headed approach to access
control, filtering by IP. The correct approach to
access control is to require a controlled token
to connect. An IP address is not a controlled
token, and using it as one, as JSTOR does, is
incompetent web service design.