OmniTrust Security Systems Inc.s Protected Browser, released last month, provides DRM-like protection for Web pages, making it impossible to save, print, e-mail or even screen-capture protected Web pages. Protected Browser does what it sets out to do, but eWEEK Labs found that its strict protections, lack of configuration options and limited platform support greatly diminish its appeal. In most cases, companies would be better off converting content to Adobe Systems Inc.s Acrobat or Microsoft Corp.s Word and using standard digital rights management products, which provide greater flexibility and fine-grained access controls.OmniTrusts Trustee for Portals product offers protections similar to those in Protected Browser, as well as auditing capabilities and increased management options, company officials said. The absence of tracking capabilities is especially problematic because even the strongest protection can be defeated with a digital camera or even pen and paper. In these cases, knowing who viewed what is often the only way to learn how sensitive content left the company. Protected Browser is easy to deploy quickly throughout a company. The product deploys as a server plug-in to Microsofts IIS (Internet Information Services) Web server and to Apache. Protected Browser is priced at $25 to $50 per client seat, depending on the number of seats, with server-based pricing available. Product management is basic: We selected the Web pages on our server that we wished to protectand that was it. For each page, the option is protect or dont protect, with no granular options to provide additional rights. When a page is protected, it can be viewed only if page visitors download the Protected Browser plug-in. Once this is installed, users can view the page but cannot save it, print it or view source code. The plug-in also blocks screen-print and screen-grabber programs. If Protected Browser detects a remote control application running, it will cease to show the protected Web page. This is strong protection, but it can also be a problem because many companies use these programs for help desk support. Using the server configuration tool, however, we could define a list of potential rogue applications that we wanted to allow. One potentially big problem is that the plug-in works only on Windows systems using IE (Internet Explorer). This means anyone using another operating system or another browser cant view protected content. Another weakness in the product is that the screen-grab blocking goes too far, blocking it completely. Once we viewed a protected page, we were unable to use the Print Screen option to get a screen grab in any Web page or application. Print Screen worked only when we shut down IE. Labs Director Jim Rapoza can be reached at firstname.lastname@example.org. Check out eWEEK.coms Developer & Web Services Center at http://developer.eweek.com for the latest news, reviews and analysis in programming environments and developer tools.
Protected Browser could prove useful in cases where sensitive content is delivered through dynamic Web pages to low-level stafffor example, phone-based order acceptance. But even when used for this purpose, the product has critical weaknesses. Although Protected Browser can limit use of content to view-only, it cant track who has viewed which content, a feature found in most DRM products and one that is vital to regulatory compliance.