Secure file download via HTTP

Mark Waddingham mark at livecode.com
Fri Nov 4 04:25:07 EDT 2016 

On 2016-11-04 08:02, Peter Bogdanoff wrote:
> 1. Am I right that someone could, maybe by a man-in-the-middle
> process, grab a URL and use that again later?

HTTPS prevents man in the middle attacks as long as your client verifies 
the server side certificate which is sent - i.e. you must not turn off 
SSL verification.

> 2. HTTPS would encrypt the at least the directory and filename in the 
> URL?

HTTPS is HTTP over SSL/TLS - which means that the underlying data 
transport (sockets) is secured end to end. This means that the entire 
content of the HTTP request is encrypted - in theory only the server 
receiving the information is able to decrypt it.

> 3. Could someone grab that encrypted stream of data and reuse it in
> its encrypted form to download the file anyway?

It is possible that someone could 'snoop' on the encrypted stream of 
traffic (they are just packets going over the network, after all) - 
however, SSL/TLS is designed to ensure that unless you are the client or 
the server then it is not possible to decrypt the traffic. (This is not 
true if the connection is suffering a man-in-the-middle attack - which 
is what SSL certificate verification ensures cannot happen).

> 4. For better security, would I need to use some form of
> authentication to allow only users of my app to access the server?

Yes - this is required. SSL/TLS is not a means of authentication, only 
end-to-end encryption. Any client can connect to an HTTPS server so as 
part of the request you need to provide authentication details so that 
the server can verify the client's access entitlement.

> Anyone have any advice on this or can point me in a direction?

Using HTTPS with SSL verification on and a suitable authentication 
scheme should be sufficient for your needs. Using HTTPS (rather than 
HTTP) means that no-one can intercept the data which flows between your 
client and server; and using authentication means that the server will 
not server files to anyone who doesn't have the appropriate credentials.

To summarise:

    - HTTPS is HTTP over SSL/TLS which means that the entire conversation 
between client and server is encrypted.

    - As long as you have certificate verification on, then it should be 
virtually impossible for anyone to decrypt any part of the conversation.

    - HTTPS does not give you authentication just encryption, you still 
need to use some sort of access credentials to ensure that your HTTPS 
server only serves files to your registered clients.

As an addendum it is perhaps worth pointing out that the security of 
HTTPS is maintained even through proxy servers - the proxy server sees a 
small amount of plain-text at the start of a connection (basically - 
please make this a secure stream) but after that point everything is 
encrypted between the actual client and the server so whilst the proxy 
might 'see' the data flowing through it, it is no better position than 
something else snooping the packets which are flowing on the network.

Hope this helps!

Mark.

-- 
Mark Waddingham ~ mark at livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps

More information about the use-livecode mailing list