开发者

Safe file upload without https (ssl layer)

开发者 https://www.devze.com 2023-01-09 08:58 出处:网络
I\'m PHP de开发者_JAVA技巧veloper and I know very little when it comes to https/ssl, but I would like to offer my client safest possible way of uploading file to webpage (i.e. webftp as part of client

I'm PHP de开发者_JAVA技巧veloper and I know very little when it comes to https/ssl, but I would like to offer my client safest possible way of uploading file to webpage (i.e. webftp as part of client service on page).

Which way should I look?

Thank you in advance, I will clarify my question if needed.


I'll probably disappoint you, but without HTTPS or some other form of encryption, all the data passing over the wire is plaintext - this also holds for FTP. (In other words, it's practically impossible to verify that the data which the server has received actually came from the client, and hasn't been modified.)

Valid (and widely accepted) HTTPS certificates are cheap and relatively simple to use, plus it's probably the optimal solution currently available in terms of safety*simplicity (switch URLs from HTTP to HTTPS, no other configuration required from end user). With a valid SSL certificate, the client could be reasonably sure that they're communicating with your site and that the data is encrypted while in transit.

In other words, there are safer (but more complicated) alternatives (such as encrypted VPN), and there are simpler (but less safe) alternatives (such as plain HTTP). HTTPS done right is about the right combination of safety and simplicity for a general-purpose website. (OTOH, if you're trying to protect top-secret NSA files, HTTPS is definitely not enough)


I'm sorry, the browsers themselves offer no alternative to either sending the file in plain text or sending it encrypted through HTTPS.

The only alternative would be to use some sort of client side plugin (e.g. a Java Applet) that would encrypt the file prior to sending it (as a bonus, you could compress the file before it was encrypted and sent). However, this solution hinders compatibility by requiring a plugin to be installed, is much more complex and ultimately rendered unnecessary by the existence of HTTP over SSL/TLS (HTTPS).

0

精彩评论

暂无评论...
验证码 换一张
取 消