paperlined.org
apps > .porn

document updated 15 years ago, on Oct 27, 2008

Hotlinking is subject to an ongoing arms race. The current situation is that all well-admined websites block fuskers via .htacess, and not many end-users are taking things to the next level, so most top-level commercial websites don't see the need to implement the next level either.

However, it's not difficult to look ahead a few gambits and see what will happen as things progress.

General hotlinking

fuskers

Referer checking

.htaccess, mod_rewrite

Referer blanking

Video players outside of the browser usually don't pass a referer. (e.g. if passed a playlist)
Most browsers have SOME way to disable sending the referer.

Referer spoofing

Require each IP to load HTML before loading JPG/MPG

Set a cookie in HTML response, require it before JPG will load

unsure if this has been implemented yet, either in-house or COTS

Use AJAX or <iframe> to fetch and throw away HTML, then display images

unsure if this has been implemented yet, either in-house or COTS

Keep HTML URL static, but constantly rotate JPG/MPG URL

only in-house solutions so far, no COTS solutions yet?

Make the JPG/MPG URL be different for each client-IP

may not have been implemented yet... requires some mod_rewrite hacking, particularly if you want to hash the IP

Client-side javascript that fetches HTML via AJAX, and extracts the image URLs

probably hasn't been implemented yet... rotating JPG/MPG URLs are complicated enough that very few sites have implemented them

Other factors affecting each side:

End-users own their machines, and so have ultimate control of what HTTP requests are sent out. (even if mainstream browsers are reluctant to include anything like referer-spoofing, lower-profile groups can write plugins that provide end users ultimate control of their end)
Caching (both browser-side and intermediate hosts) means that servers don't always get the full picture of exactly what each client is doing. This sometimes limits the decisions that can be made using per-client statistical analysis. (though caching can be reduced/eliminated (at the server's expense), and javascript can be made to ping the server every time a page is loaded, regardless of caching)

Possible endgames:

users rely on P2Ping site rips, rather than hotlinking, since that provides higher-quality content (already happening)
paysites reduce FHGs, and try to serve most content behind password-protected walls (attempted somewhat with TGP2, didn't seem too popular)
[for larger, more law-abiding paysites] paysites address hotlinking sites as they now do P2P sites... start complaining about copyright theft, and turn to legal (rather than technical) means to diminish the impact of hotlinking sites
[for international, less-concerned-about-laws paysites] because "turnabout is fair play", hotlinking sites find themselves increasingly DDOS'd, with the intent of making it unaffordable to run a hotlinking website