3

I'm working on a project for one of my customers. They want a web environment where the site searches for specific emails for specific users and makes the attachments of those emails accessible to view and download.

The attachments I'm talking about are annual statements, payslips and hour registration. So at least the first two files types will include some form of sensitive data, like bank numbers. Something I'm not to keen about.

Now basically my question is: how safe is it for me to read these files over a SSL connection from the email server using php IMAP, fetching the content form a file and displaying it without saving in on the web server.

The files would be standing on the email server anyway and i'm not storing the files anywhere else. Or is this thought to naive and are there any other options?


EDIT:
My initial idea was to download the files from the mail server and storing an encrypted version of the files in Amazone s3. Using there authenticator system to make sure displayed links only work once. And maybe delete the emails afterwards.

would this be a better idea? Minimising the connections over IMAP by storing a copy of the files somewhere else..

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
LesleyTYap
  • 31
  • 2
  • 3
    Security of PHP IMAP is only a small part of this. Since you want to display this inside a web environment you have to deal with the typical attacks like XSS, CSRF... and PHP IMAP will not protect you against this. Also you need other libraries like Mail to extract attachments from the MIME structure of the mail etc. And then you might also share the server with others which makes additional problems etc. In short: not easy to get this really secure, no matter if PHP IMAP is secure. – Steffen Ullrich Apr 05 '16 at 20:11
  • Handling the emails is taken care of so that's not a problem. I surly need make sure the security of the application in a whole is good. I'm just curious, if IMAP would be a weak spot no matter what or if it's secure enough to handle my situation. – LesleyTYap Apr 06 '16 at 06:56
  • Some of this perhaps is answered here: http://security.stackexchange.com/questions/51552/how-insecure-is-pop-imap-smtp – Simply G. Apr 06 '16 at 11:23
  • @LesleyTYap, this is not a forum. [If your question has been answered](https://security.stackexchange.com/help/someone-answers), please either flag it as a duplicate, delete it altogether or [write an answer yourself](https://security.stackexchange.com/help/self-answer), do not edit the title to "[solved]" – Tobi Nary Apr 06 '16 at 21:00
  • Since there is No sepperate answer, do I mark my own answer? – LesleyTYap Apr 09 '16 at 09:55

0 Answers0