Transferring large files (1GB+) over internet, securely, one time only

Possible Duplicates:
Best method of transferring files over internet?
Free way to share large files over the Internet?

I have been asked to design a system for transfering large files (1GB+) across the internet. These files are pdf documents that customers need to download from my website.

I have never built anything like this before, and I'm not sure what hardware or software would be best suited to this, or whether it would be best to host it internally or externally.

Any advice or recommendations for hosting would be much appreciated.

file-transfer

Urbycoz

Posted 2011-06-22T08:26:43.547

Reputation: 1 055

2Which level of security do you need ? Do you plan to encrypt the file by yourself ? Can you trust third party web sites ? Btw, you are really sending 1GB+ PDF Files ? – JMax – 2011-06-22T08:30:11.237

lol. Apparently they are 1GB+ pdf files (according to the client)- I have my doubts too. Anyhow it's sensitive data, so I need it to be totally secure, and don't mind how it gets encrypted. I'm happy to trust third party sites if they are reputable. – Urbycoz – 2011-06-22T09:01:02.393

1Do the files only need to be transferred once, or will you need to archive older files so they can be retrieved later? Would probably affect how much storage space you will need. My two cents. – Richard Lucas – 2011-06-22T09:44:26.467

can the client have a client software, or does it need to work for arbitrary systems? – Journeyman Geek – 2011-06-22T10:10:19.157

1Some PDFs that are nothing but scanned images or pages, especially if they run into the hundreds of pages, are very large. A 1GB PDF would not surprise me. – LawrenceC – 2011-06-22T11:34:48.470

@Richard They will need to be always available for download- not just once. – Urbycoz – 2011-06-22T11:35:20.717

@sblair Not a duplicate. No mention of "ftp", "vpn" or "samba" here. Useful link though. – Urbycoz – 2011-06-22T14:57:13.313

Answers

We use LeapFile: http://www.leapfile.com/

It is not free, but it is very reliable, and it works great. Read the "Why LeapFile" web page for more info: http://www.leapfile.com/why-leapfile

KCotreau

Posted 2011-06-22T08:26:43.547

Reputation: 24 985

You may want to keep this all in house - I would not put anything confidential 'out there' to be managed by another entity. Zendto may fit the bill:

http://zend.to/

The safe, secure and completely free way to transfer large files around the Web. ZendTo is a completely free web-based system, which you can run on your own server with complete safety and security. It runs from any Linux or Unix server or virtualisation system and there is no size limit and it will send files one and a half times faster than by email. It will also integrate with any Active Directory, LDAP or IMAP system you already have in place.

Linker3000

Posted 2011-06-22T08:26:43.547

Reputation: 25 670

well if downloading from a website you set up a website with files and links to them. you transfer/upload to the website via FTP you need anybody offering web hosting with the multiple GB space on it. people downloading download via a web browser.

or you could upload it to mediaupload.com or rapidshare, you may want to subscribe, for example a subscription may ensure it stays up longer. you then send out links to the files.

if you want some security, then, If using a website then perhaps links not publicly advertised or with obvious/guessable names is enough.

if encrypting files beforehand, well, I think axcrypt might be pretty good.

barlop

Posted 2011-06-22T08:26:43.547

Reputation: 18 677

Please not. Never do security through obscurity. Give it HTTP authentication, also use HTTPS. The HTTP authentication data can be put into the url like http://user:pass@hello.world/file.pdf. This will ensure that only people coming from the business can access these, as long as nobody leaks the password!!!

– sinni800 – 2011-06-22T12:02:14.237

I said "perhaps it's enough", it's up to him. He hadn't mentioned security at all in his question, so it was just an idea that'd be a bit more private/secure than listing them publicly. But I did mention encrypting the files beforehand with axcrypt, which is of course more secure than just using links that aren't advertised. – barlop – 2011-06-22T12:46:50.450

1@sinni800 your HTTP authentication and HTTPS looks like a good idea, you could post an answer explaining to him how. – barlop – 2011-06-22T12:48:10.777

Yes please. That https method looks good. – Urbycoz – 2011-06-22T14:49:53.630

@sinni800 What is the problem with security through obscurity? – Urbycoz – 2011-06-22T14:55:58.277

@Urbycoz: it gives false sense of security where there is no security at all. – liori – 2011-06-22T15:08:04.697

@sinni800 well, I am not sure that i'd call it security by obscurity, or security by obfuscation. It is neither.. Suppose you don't want somebody finding the files. It -is- more secure to have them not listed as links on a webpage, than to have them listed. And if the files have names not easily guessable by brute force, then that's a bit like a good password isn't it? If somebody cannot do a file listing that's more secure than if they can. – barlop – 2011-06-22T16:58:01.400

@sinni800 Security by obscurity, is more, if there's a exploit then hide it. I wouldn't suggest security by obscurity as a way to choose over others.. but I wouldn't say it gives a false sense of security, just recognise it for the relatively poor security that it gives, and strongly consider other methods in preference particularly if seamless. I'm not sure that i'd call the filename method I mentioned to be "security by obscurity". Some shopping cart download web apps i've used email a link to a file. The link is for 48h. For those 48h, whoever guesses it knows.but they prob wouldnt guess – barlop – 2011-06-22T17:02:02.130

My answer extended on his one, so I don't think it warrants another answer. What should the creator accept then? My answer or his? His had the idea first, and I extended upon it. I'd rather get a upvote on my comment. @barlop: I can't deny your logic. Still it would add yet another layer of security if it just used a password only visible to the actual people needing to access the data. When the data is encrypted, too, it's completely secure. 3 layers, even. And two of them are not at all a nuisance for the user.You mean "hide an exploit" if you just change the reported server version to hide? – sinni800 – 2011-06-22T23:26:37.193

@sinni800 I mean.. for example people say microsoft windows uses security by obscurity but perhaps it's also a catch-all term for all or various half-assed security measures..I don't think my answer is worth accepting , relative to others. Your method's better.. and comments are limited in char, so an answer provides more space. You haven't explained how though.. what software to install or how to configure it. hosted locally or off-site. You may not think it worth it though since he's already accepted an answer, though it may be useful to others. – barlop – 2011-06-23T08:33:52.340

@barlop Well about the technical implementation I would have to research first. I am from the MS world of web hosting so I don't really know how to implement it in Apache for example by heart... – sinni800 – 2011-06-23T12:11:07.387

Depending on the level of security your customer demands, you could simply set up a WordPress (of other) blog that's only accessible via https (which is very simple) and set up accounts for those customer staff authorized to upload, and more limited accounts for those authorized to download. WP has sufficiently granular access controls to handle a simple case. Not perhaps the most "elegant" solution but it would work, and an experienced admin could set the whole thing up in an hour, including installing and configuring Apache on the server.

CarlF

Posted 2011-06-22T08:26:43.547

Reputation: 8 576