Security

Caribou protects your memberships, products, passwords, product downloads, and site content (articles, pages, galleries, file downloads, etc.) in many ways. In this section, we'll examine the way your site is protected.

Content is accessible only to specific usergroups

You can restrict access to almost any component of Caribou to specific usergroups. There is no way for a user to get around this restriction without sharing login information with a subscribed user. However, you can track these users down by examining a user's Login History in the control panel. Users with expired subscriptions will be removed from the subscriber's user group and will no longer have access to your content. This restriction is server-side so it is impossible for users to use old-fashioned techniques to evade the security.

File uploads are protected from direct access

All file uploads, whether they are for downloadable store products or regular content items, are protected from direct access. Caribou takes the file you've uploaded and saves it under a protected filename. Then, through the .htaccess file that is used by your web server, Caribou denies all direct access to this file. The only way for users to download the file is to go through a proper Caribou link. These links then subject the user to the same restrictions as any content item. Product download links can only be used twice before they expire.

Unfortunately, if you upload streaming FLV files as content items in Caribou, there is no way to restrict users from using browser harvesting techniques to find the file and save it to their computer. These streaming files are impossible to protect because they must be directly accessed in order to stream the video immediately (instead of waiting for the entire thing to load). There's no way around this with current technology. However, users generally don't do this (many don't even know the technique for stealing videos exists).

Passwords are stored securely

At no time in Caribou will you see a user or administrator password. Why? Because those passwords are not stored as plaintext in the database. Instead, they are stored as password hashes. When a user attempts to login, the password they submit goes through the same hashing process and is compared to the database's password for verification. Why store hashes? Hashes cannot be reverse-engineered without an incredible amount of dedicated computer calculations. So, if someone were to get access to your database, they would be left with a lot of nonsense passwords and unable to recover the true passwords of you and your members.

Credit card information is never stored in Caribou

Storing credit card information sounds simple and like something that would make auto-recurring available for all gateways. However, there are many legal issues to deal with when storing credit card information. One of these issues is the issue of PCI Compliance. Essentially, it costs hundreds of thousands of dollars to verify that your storage techniques and business operations are PCI Compliant (and therefore compliant with MasterCard and Visa's security policies). So, with Caribou, your data is never stored. Auto-recurring payments work with your gateways own features. CVV2 numbers (those 3-4 digits after your credit card number) after never stored on your server in any fashion. This is done for security reasons and is required by major credit card companies.