Secure file download via HTTP
mark at livecode.com
Fri Nov 4 09:25:07 CET 2016
On 2016-11-04 08:02, Peter Bogdanoff wrote:
> 1. Am I right that someone could, maybe by a man-in-the-middle
> process, grab a URL and use that again later?
HTTPS prevents man in the middle attacks as long as your client verifies
the server side certificate which is sent - i.e. you must not turn off
> 2. HTTPS would encrypt the at least the directory and filename in the
HTTPS is HTTP over SSL/TLS - which means that the underlying data
transport (sockets) is secured end to end. This means that the entire
content of the HTTP request is encrypted - in theory only the server
receiving the information is able to decrypt it.
> 3. Could someone grab that encrypted stream of data and reuse it in
> its encrypted form to download the file anyway?
It is possible that someone could 'snoop' on the encrypted stream of
traffic (they are just packets going over the network, after all) -
however, SSL/TLS is designed to ensure that unless you are the client or
the server then it is not possible to decrypt the traffic. (This is not
true if the connection is suffering a man-in-the-middle attack - which
is what SSL certificate verification ensures cannot happen).
> 4. For better security, would I need to use some form of
> authentication to allow only users of my app to access the server?
Yes - this is required. SSL/TLS is not a means of authentication, only
end-to-end encryption. Any client can connect to an HTTPS server so as
part of the request you need to provide authentication details so that
the server can verify the client's access entitlement.
> Anyone have any advice on this or can point me in a direction?
Using HTTPS with SSL verification on and a suitable authentication
scheme should be sufficient for your needs. Using HTTPS (rather than
HTTP) means that no-one can intercept the data which flows between your
client and server; and using authentication means that the server will
not server files to anyone who doesn't have the appropriate credentials.
- HTTPS is HTTP over SSL/TLS which means that the entire conversation
between client and server is encrypted.
- As long as you have certificate verification on, then it should be
virtually impossible for anyone to decrypt any part of the conversation.
- HTTPS does not give you authentication just encryption, you still
need to use some sort of access credentials to ensure that your HTTPS
server only serves files to your registered clients.
As an addendum it is perhaps worth pointing out that the security of
HTTPS is maintained even through proxy servers - the proxy server sees a
small amount of plain-text at the start of a connection (basically -
please make this a secure stream) but after that point everything is
encrypted between the actual client and the server so whilst the proxy
might 'see' the data flowing through it, it is no better position than
something else snooping the packets which are flowing on the network.
Hope this helps!
Mark Waddingham ~ mark at livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps
More information about the use-livecode