Delphi: secure/encrypt downloading updates from the Internet

Question

Goal: to download archives from a web-site (ordinary hosting). An user must know nothing about downloading, a connection, a file storage on a web-site.

I use idHTTP+SSL to download archives. But user can access a web-site -> I can set Basic Authentication, but an user can see a user name/password e.g. in HTTP Analyzer.

A program downloads file with settings. Settings are in a form of a plain text. This text can be seen in HTTP Analyzer too.

I can to encrypt this text but what about archives? I need to secure everything at one time.

Therefore I do not want that user could see an web address of archives and setting file. It can be pasted in a web browser -> please download everything...

How to prevent all these?

Thanks!!!!!!!!

Answer 1

I assume "ordinary hosting" means the usual PHP/Perl hosted site where you can't really run arbitrary software or make significant site-wise configuration changes. I'd take the following steps:

• Configure the folder where your archives and "text file" reside to only accept HTTPS connection, then make sure you only connect using HTTPS: "HTTP Analyzer" (or any analyzer for that matter) will no longer be able to see your traffic.
• Give your archive meaningless names (GUID's?), so there's no way for the user to just enter a file name into the browser and download that. You'll need to "map" the actual file names to the GUID's using your TXT file.
• For extra points replace the "TXT" file with a script that authenticates your application before providing the actual data. Even a simple salted hash of the current date and time would be enough to deter most users.

Of course, I expect this question to be followed up with other questions, some on ServerFault, some here on SO:

• How to block plain HTTP access to a folder using [name your server software]
• How do I authenticate my application so an ordinary browser can't download my TXT file.