jimmod / ShareToComputer

GNU General Public License v3.0
146 stars 29 forks source link

Secure http connection? #26

Open Lumb-Chul opened 5 years ago

Lumb-Chul commented 5 years ago

Any chance of native https support maybe via Let's encrypt or something? Can I install my own cert and send over https? I wouldnt trust sending information even on a home network over an unsecured connection.

jimmod commented 5 years ago

It's possible, although on computer browser you will see SSL warning since it's self signed certificate.

sultanahamer commented 5 years ago

https is a means to encrypt content(in our context, file is the content) in transfer which is same as encrypting file before letting user download. Setting https is a hassle of bringing in certificates and wouldn't be easy for everyone to setup.

So, I recommend here using any means of encrypting files. I thought of two options for encryption

  1. ZIP
  2. PGP

ZIP: Easy to use encryption/decryption.

PGP: PGP is not conventional means to encrypt / decrypt keeping everyone in mind. Even though if mobile app can encrypt using a passphrase but the person downloading it on computer might not be able to decrypt it as they would require a tool of pgp to decrypt it and pgp tools are not well known in current world.

To support PGP decrypt for users, we could very well implement decrypt in the browser using pgp js library. But it would be much effort.

@jimmod , I have created a small patch supporting the ZIP encryption using passphrase. As git was not supporting attaching patch files, I had zipped it. Unzip it and apply the patch attached, after that, follow steps below.

  1. Run the application
  2. select option "share file"
  3. Select a file and try opening the url.
  4. Download the file
  5. Open file and enter password abcd

@Lumb-Chul

jimmod commented 5 years ago

@sultanahamer good suggestion. If we secure the download with encrypted zip there will be several impacts:

sultanahamer commented 5 years ago

@jimmod yup, those will be impacts only if user selects encrypt option during share. But adding https wouldn't help as there is no authentication so any user in lan can open the url and download.

ZJaume commented 5 years ago

Why not embedded javascript code that downloads encrypted file via AJAX and then decrypts it. Maybe setting a password for AES or other symmetric encryption in the app an then asking it for the user in the browser.

Edit: I'm thinking in how this project encrypts file and sends it but reversed. This wpuld be more transparent to the user if password is embedded on the url. https://github.com/Upload/Up1/blob/master/README.md#how-it-works

sultanahamer commented 5 years ago

@ZJaume yup, that would work as well. Thats what I have suggested for the pgp option above as well