[ZendTo] Re: password protection
Marlon R Deerr
MDeerr at tgf.ca
Wed Jun 27 16:16:18 BST 2012
Not only are they not security conscious enough to go through the pain of creating public/private keys, they may not even remember how to use it if they don't use it all that often (i.e. once a month or once several months). If you have many employees that will be using this service, between all of them, I can only see nothing but more administrative overhead on your part as the IT Administrator constantly teaching or reminding them how to use the public/private key. I would rather have something more seamless like just relying on an SSL connection to secure the files during transit...but as Nate said, "the only insecure part is the key being sent in the (unencrypted) e-mail".
Nate, I'm not quite sure what you mean by ldap login to verify identity before download. If I am the sender of a drop-off, how is ldap giving me assurance that the correct person is actually picking up the dropoff? Am I missing something there.
Thanks,
Marlon
-----Original Message-----
From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Nathan Warren
Sent: June-27-12 10:09 AM
To: ZendTo Users
Subject: [ZendTo] Re: password protection
I much agree with Mike about my own personal data encryption, but as Tamas pointed out, most users aren't security conscious enough to go through the pain of creating public/private keys. Really, all I need is a way to ensure that the person downloading the file is really the right person. I use SSL for encrypting over the wire; the only insecure part is the key being sent in the (unencrypted) e-mail.
I would love to see an option to require ldap login to verify identity before download.
Nate
From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Papp Tamas
Sent: Wednesday, June 27, 2012 5:07 AM
To: ZendTo Users
Subject: [ZendTo] Re: password protection
On 06/27/2012 11:26 AM, Mike Brudenell wrote:
Hi, Tamas -
hi,
On 26 June 2012 17:06, Papp Tamas <tompos at martos.bme.hu> wrote:
Users trust in sysadmins, they have to.
Anyway zip password is also a good idea, but it's not enough safe, not enough.
I prefer server side protection.
I think we'll have to agree to differ on this one: if I were conducting highly sensitive research using specialist data I wouldn't feel I could leave it to someone else to encrypt for me before uploading it for transferring to someone else.
Implementing encryption on the server side wouldn't necessarily make it any stronger, and could actually (depending on what the SysAdmin chose to set up) be weaker than you'd like, giving you a false sense of security. For additional security you could look at using something like GnuPG to:
1. Set up a public/proviate key pair, then 2. encrypt your data using your colleague's public key, and then 3. digitally sign it with your own private key.
Upon receipt your colleague can then:
1. Verify that it was really you who sent it by validating the file with your published public key, and then 2. decrypt it using their own private key (which only they know the pass-phrase to).
Yes, it's hoops to jump through but it gives them reassurance that the data really was from yourself, and you reassurance that only they can read the data. Gives plenty of security (but possibly overkill for what you need?). Oh, and couldn't be implemented server-side as it needs people's private and public keys for the process. :-)
You're right. But the application is used by users. They don't care about gpg or any other kind of encrypting. If there is no easy way, they don't use anything. Of course for maximum security they can use both option (I wrote before) and in case gpg is not necessary, web authentication would be good enough.
tamas
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
More information about the ZendTo
mailing list