tags:

views:

215

answers:

3
Q: 

Secure file transfers

We are using a custom FTP application (which encrypts the files) for secure transfers. We send the application to end users and they use it to send us confidential data. We also use it to send information back to the end users.

The application is in need of an update - some things are no longer working consistently. As the end users get more restrictive security environments, as OS updates are released, etc.

We have several options:

  1. Update the application, use SFTP, etc.
  2. Write a new custom web application to add to our aspx website.
  3. Purchase or download SFTP software
  4. Purchase or download web software
  5. Setup an external sharepoint site
  6. Use a service which is hosted elsewhere - preferably in Canada so that our laws apply

Some of features which would be nice:

  1. We would not want decrypted files sitting on a server outside the firewall.
  2. Resumable transfers.
  3. Ability to move the files automatically to a specific place inside our firewall. Though this could be easily done outside the file transfer.
  4. Notifications for both sender and recipient by email.

Suggestions/comments?

A: 

First, FTP is a plaintext protocol, so it's already not secure. Your updated description is helpful on this count :)

Running SFTP is pretty easy - by deafult it's running when OpenSSH is installed and running. (Yes, they need a login, but that's simple enough to handle - especially with an LDAP tie-in.)

Running over HTTPS may be worthwhile. Sharpoint, Plone, and myriad other CMSes come to mind.

warren  2008-11-04 16:37:42
Updated my description - our current custom ftp application does encrypt the file before sending - but the FTP passwords are still sent in plaintext as per FTP prototcol.
ScottStonehouse  2008-11-04 16:42:49
+2  A: 

I've had good results using Free SSHd on windows machines; it runs on the standard SSH port (22), supports SFTP, and is encrypted end to end. It also lets you set up authorization systems in parallel with your windows permissions, so you can exercise pretty fine-grained control of who gets access and what they can do.

Tim Howland  2008-11-04 16:40:34
Suitable for end users? Able to traverse firewalls that are not under my control?
ScottStonehouse  2008-11-06 13:26:38
for end users you'll need a friendly client- I've been able to use filezilla with success. Outbound firewalls are usually no issue, unless they are set to block port 22 for some reason (some are). If that's the case, then I'd go with an ssl webapp, if you don't have an issue acquiring the certs.
Tim Howland  2008-11-07 02:40:41
A: 

Definitely write a file upload web application and add it to your existing website. This gives you the flexibility to create the exact solution you and your clients need, but more importantly, it eliminates this problem from happening in the future. With a web app, there are no client applications to update, distribute, or support. You control the entire process.

A file upload app for ASP can be found easily on the internet, pick one that best suits your needs and customize it:

http://www.google.com/search?q=aspx+file+upload&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

Be sure to configure your webserver to use HTTPS and not allow HTTP to ensure the files are encrypted during transport

Eric  2008-11-04 16:46:53
It's not just upload, we would also need an authentication mechanism, with the ability to easily add users through an administrative interface. Is writing from scratch really the best way to get these features?
ScottStonehouse  2008-11-04 18:23:34

related questions

Project tracking/management tool
Great programming quotes
What are the most commonly used anti-patterns?
What is your favorite IDE for Perl development?
Hidden features of Eclipse
Website Monitoring Libraries
What are the best Java Podcasts?
What ETL tool do you use?
Best technical shibboleths and keywords
What non-programming books should programmers read?
Best Scrum tools
Poll: What measure do you use to size software?
How would you spend $150 on developer tools?
What is your programming record in a single sitting?
What bug tracking software do you use?
What is the worst interviewee answer?
What is the best interview question?
What college/university course(s) you wish you have taken more seriously?
Recommended Fonts for Programming?
Best Multi-Language Documentation Generator
What code analysis tools do you use for your Java projects?
What programming language do you wish would catch on?
What good technology podcasts are out there?
What JavaScript library would you choose for a new project and why?
What books would you recommend for a beginning Software Developer?