Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Risks & mitigation for file uploading / downloading via http & https

Posted on 2016-08-16
1
Medium Priority
?
177 Views
Last Modified: 2016-08-30
We permit a couple of depts to upload & download files to external service providers
 (eg: law firms, payment processing) : we are the http & https client while the external
 providers are the  web server & https server.

 Q1:
 I guess http is only meant for non-sensitive data but other than educating users, we
 don't have a way of checking & enforcing that only non-sensitive data are via http:
 Can DLP (Data Loss Prevention) help with this?  In our case we only use DLP for
 emails, not such files transfer.  Any mitigation?  We can always tell users to use
 zip to encrypt with complex password but have not way to enforce from the
 proxy or can proxy check if files are encrypted before allowing the transfer?
 Refer below for sample proxy rules we've created.

 Q2:
 What are the risks with such files sharing using https ?  I suppose I have to check
 the remote end (Allen & Gledhill law firm is one example) https is not using SSL
 but TLS V1.2 ?  Any other thing to watch out for in the https?

 Q3:
 Even if we encrypt/zip the files with complex password, is there still risks & if so
 what's the mitigation?

Q4:
In secure coding there's this "Dynamic file inclusion" but I'm unable to establish if the
 remote site's coding is such that the remote end's app validate against a whitelist
 (for malicious sites).  Is there any way to mitigate for this considering I don't have
control over the remote end's source coding?


Below is a sample of the proxy rules :
Some of our proxy's for file sharing:
 2      condition=__USERaaa condition="RequestURL 198.x.y.z" Allow      ; Rule 8      File Storage/Sharing
 10      condition=NoBlockYousendIT condition=URL_www.allsendit.com Allow      ; Rule 17      File Storage/Sharing
 36      condition=__USER388 condition="URL_laser.myTelco_&_tracker.campaignsend" Allow      ; Rule 46      File Storage/Sharing
 43      condition=Allow_goodnote.com_MM2168888 condition=URL_goodnote.com_MM2168888 Allow      ; Rule 54      File Storage/Sharing
 45      condition="Access to Services.intralinks.com" condition="Intralinks URLs" Allow      ; Rule 58      File Storage/Sharing
 65      condition="Access to files in Intralinks" condition="Intralinks files access" Allow      ; Rule 82      File Storage/Sharing
 66      condition=__USER181 url.domain="ftp.mmm.com" Allow      ; Rule 83      File Storage/Sharing  ; to SAN support
0
Comment
Question by:sunhux
1 Comment
 
LVL 36

Accepted Solution

by:
ste5an earned 2000 total points
ID: 41764882
1) & 2) HTTPS is only a transport encryption. So it is decrypted on the receiving server. Anyone beyond that point can thus see your data.

3) Archive encryption can ensures that only the owner of the password can encrypt it. But this password-owner relations is only a weak relation. Passwords easily can leak. So the receiver can not even be sure, whether the file is from you.

The question is: What kind of security level do you need? According to your short description it sounds that you need

a) end-to-end encryption
b) authorized/verified senders and recipients

This means that you need public/private key encryption. Using the recipients public key to encrypt the file (then only he can decrypt it) and use your private key to sign that encrypted file (so the recipient can verify that you have send it).

So in your case (eg: law firms, payment processing) HTTPS and simple archive encryption seems not to be an option.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question