Secure http connection?

[Lumb-Chul]

Any chance of native https support maybe via Let's encrypt or something? Can I install my own cert and send over https? I wouldnt trust sending information even on a home network over an unsecured connection.

[jimmod]

It's possible, although on computer browser you will see SSL warning since it's self signed certificate.

[sultanahamer]

https is a means to encrypt content(in our context, file is the content) in transfer which is same as encrypting file before letting user download. Setting https is a hassle of bringing in certificates and wouldn't be easy for everyone to setup.

So, I recommend here using any means of encrypting files. I thought of two options for encryption

1. ZIP
2. PGP

ZIP: Easy to use encryption/decryption.

PGP: PGP is not conventional means to encrypt / decrypt keeping everyone in mind. Even though if mobile app can encrypt using a passphrase but the person downloading it on computer might not be able to decrypt it as they would require a tool of pgp to decrypt it and pgp tools are not well known in current world.

To support PGP decrypt for users, we could very well implement decrypt in the browser using pgp js library. But it would be much effort.

@jimmod , I have created a small patch supporting the ZIP encryption using passphrase. As git was not supporting attaching patch files, I had zipped it. Unzip it and apply the patch attached, after that, follow steps below.

1. Run the application
2. select option "share file"
3. Select a file and try opening the url.
4. Download the file
5. Open file and enter password abcd

@Lumb-Chul

[jimmod]

@sultanahamer good suggestion. If we secure the download with encrypted zip there will be several impacts:

• Add encryption configuration in setting
• All download will be as zip. When user share multiple files, the feature to download each file will be also as zip
• Scan barcode should able to detect encrypted sharing and ask user the password

[sultanahamer]

@jimmod yup, those will be impacts only if user selects encrypt option during share. But adding https wouldn't help as there is no authentication so any user in lan can open the url and download.

[ZJaume]

Why not embedded javascript code that downloads encrypted file via AJAX and then decrypts it. Maybe setting a password for AES or other symmetric encryption in the app an then asking it for the user in the browser.

Edit: I'm thinking in how this project encrypts file and sends it but reversed. This wpuld be more transparent to the user if password is embedded on the url. https://github.com/Upload/Up1/blob/master/README.md#how-it-works

[sultanahamer]

@ZJaume yup, that would work as well. Thats what I have suggested for the pgp option above as well