0

This seems like something that should be easy to find, but I've tried every combination of search terms I could think of and all I could find were answers that were "close but no cigar". After spending over a half an hour looking, I finally decided to ask.

What I am trying to do, explicitly worded, is to ensure that the files my users upload to or download from my web pages are encrypted during the transfer. I am not satisfied with just throwing https:// onto the beginnings of the file's links because these files need to be password protected. In order to password protect them, of course, I have set the directory permissions such that the files inside cannot be accessed via URLs at all. I am using a PHP script to manage the uploads and downloads.

I have tried checking the php.net pages on topics like headers() and mcrypt_encrypt() and have come up empty-handed. The page on headers() appears to apply to HTTP only and doesn't tell me how to use an encrypted protocol for a file download (if that's the way one does it) and I can't use mcrypt_encrypt() relying on the assumption that mcrypt_decrypt() can just be run later to make the files usable because obviously mcrypt_decrypt() can't be run client side after a download (nor can mcrypt_encrypt() be run client-side before an upload), so I am left wondering what method I would use to ensure that the user's browsers will be able to encrypt and decrypt these files in a way that requires no action from the user - the same way everything else is encrypted and decrypted.

I'd like to assume that the fact that I am enforcing https on these web page URLs will automatically take care of it the way it takes care of the web page output. However, I do observe that files with separate file paths like images and CSS are not automatically encrypted, and that the code I'm using to trigger those file download boxes contains header information, implying that it's a separate transaction, and perhaps not encrypted.

I have really, really thought about this from a whole bunch of angles and I'm just not seeing the solution. Anyone want to help me?

faerie
  • 71
  • 2
  • 6

1 Answers1

0

Use HTTPS for secure (encrypted) delivery of data. Store the files in each user's folder as you're doing, and only allow access after authentication (over HTTPS).

The reason you're having a hard time finding another solution is because HTTPS is the solution.

If you want to store the files encrypted on the disk, you can encrypt them with a symmetric block (stream) cipher as they're uploaded and do the reverse as they're downloaded. You could use a secret key that's unique per user as the symmetric key.

Marcus Adams
  • 53,009
  • 9
  • 91
  • 143
  • How exactly do I ensure that the file download / upload is using HTTPS rather than HTTP? I just did a search for these terms: php "file transfer" HTTPS php "file transfer" "HTTPS protocol" ...and got things like someone talking about downloading a backup with wget and someone talking about downloading secure files with CURL, but after five pages of results, I still don't see instructions for how to specify that the HTTPS protocol be used for file uploads / downloads from a web page. – faerie Oct 19 '13 at 03:03
  • @faerie, http://stackoverflow.com/questions/85816/how-can-i-force-users-to-access-my-page-over-https-instead-of-http – Marcus Adams Oct 19 '13 at 16:48