Is this opening a door for hackers?

[TysonLPrice]

I'm mainly just an applications programmer where our projects are on internal servers and the user just runs the exe so I'm out of my league on this. Part of something I'm assigned to, but really am just involved in, is allowing access to some documents from outside the company. The plan is to put the PDF documents on a server the public can get to, password protect the documents, and provide the password to the people intended to see them.

In other words:

I'll send you a letter with a URL and a password in it. You'll key in the URL and it will bring up the document prompting for the password. If it matches the document will be displayed as a PDF.

I'm so out of my league on this that I don't know the right questions to ask. Is this an industry norm? I view PDFs from web sites quite a bit when surfing. Are there some security considerations to look into?

[kfcSmitty]

Some places use a service like DropBox where you can allow specific users access to a folder or documents.

Some places have their own home-grown applications that allow sharing of files through a web interface, although this is usually done as an upload, download, modify, send back sort of interface.

Some places use something like SharePoint, where you can invite people and all collaborate on the document in the SharePoint site (I believe it requires IE to use the online editing though).

Most places I've worked at typically would create a network share and give specific users VPN access to modify and update the files.

It all really depends on who the target users are and what the end goal is.

[TysonLPrice]

The target users are businesses that we provide services to and the documents are meant to be read only.

[szlamany]

You are just password protecting the documents? That means I can see a folder of all the documents?

I'm not liking the sounds of that.

[TysonLPrice]

This just popped up today but it is my understanding they will be in a folder but the URL pointing to the documents in there. So I guess it will need to be in the path. I have next to no experience in this. I'll have specific information tomorrow when I get back in. I can also freely get information asked here. What has my attention here is it seems to be a quick and dirty way to get some documents exposed quickly. Things that I wondering about are all the holes I keep reading about with ADOBE, option like view source from IE. For example this is a small part what I see doing that on this page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" id="vbulletin_html">

I'm guessing what you can see doing that is safe or this forum wouldn't allow anything "bad" to be seen. My biggest concern is we are moving forward so fast The people doing the work are competant and I'm confident in them. I'm just checking with other sources.

[dclamp]

Coming from a web developers stand point, this is what I suggest. You create a simple web application and give your clients the URL to the site with a code or password. On that page there will be an input box for them to input their code. After the code has been entered the application will show all the documents that the client has permission to view. You can store the actual files anywhere on the server and have the script summon the document. The client will have no idea where the documents are actually stored, and it will allow you to control who can see what.

This is a little more complicated because you will need to create a administrative backend to allow your company to upload the files and grant permissions.

[szlamany]

I've been involved with setting up web sites for outside business contacts (big oil companies, for example) where they could look at their patent documents. The customer hosting the site was rightly concerned with not only how secure the documents were but also how secure they were perceived to be by those outside business contacts.

That said I cannot imagine having anything less then a "user id" and "password" setup for each client - that gets them in to see just their own documents. https:// is obviously required. If you want to go with some industry standards you could use ASP.Net's built in membership provider for managing authentication.

I've done my own web methods for authentication - this means I both "salt" and "hash" passwords - manage "repeated failure attempts" and locking out users - all that industry standard stuff.

Having a "URL" that somehow indicates the "filename" that is being accessed is a big no-no here - that would mean someone could simply alter the URL and fish around the folder. That is a "perception" of non-secure that I would find obvious.

[TysonLPrice]

I logged into to work and we will be publishing something like this to the customers:

https://XXXXXXXX.XXXXX.com/ANOTHERFOLDER/2014 PA gRetro contract.pdf

The PDF pops up asking for a password. Using a partial path, say https://XXXXXXXX.XXXXX.com/ANOTHERFOLDER, generates a denial error:

The website declined to show this webpage
HTTP 403
Most likely causes:
•This website requires you to log in.

Key in the password wrong three times and the option disappears.

[dilettante]

Unless these business partners are downloading new documents frequently I'm not sure you want to try to administer this the usual way. it becomes a burden both for you and for them.

Ideally all of the documents might fall into one category: access to any means access to all is ok. But if there are distinct categories for security reasons there probably still isn't "one category per partner" anyway.

You already must have some mechanism for maintaining contact with these partners, vetting new requests, etc. You might be far better off just having a single passphrase for each category - sort of a more complicated password. You can send these out after changing them periodically along with news of updates via email to your partner contact list. If it's important you could also require entry of a registered email address or something.

This could be a lot less work to administer than conventional user/pw approaches, and more convenient for your partners to use. Eliminating "dead accounts" is no more work than the other way. You could even send out a contact email every year asking them to "re up" or provide the new contact's email when employees change.

"I lost my password" becomes as simple as re-sending the recent update email upon request.

[szlamany]

I'm still unclear how the URL and password is given to the user? Email or conventional letter via snail-mail??

Also - dilettante asks a good question - how often are these users touching a document???

[TysonLPrice]

I'm still unclear how the URL and password is given to the user? Email or conventional letter via snail-mail??

Also - dilettante asks a good question - how often are these users touching a document???

Each year all the contracts are renewed or not. That occurs in fours groups over the year. Invitation packets will be sent to eligible employers via email and that will contain the link and the pasword. All the invited employers for a quaerterly group will share the same documents and passwords. I'm not sure what the business intent is but I think the employer prints them off, signs them, and mails them back.

I realize there are better ways to do this but for quick and dirty this is "quick and dirty". The decision to proceed in this manner is a couple management levels above me. I just had red flags go up and wanted to bounce it off the members here.

Is there any other information I can supply or does this qualify as "safe but not pretty"?

[szlamany]

Well - what you show in post #8 seems safe enough.

What is the web service that is running that is asking for the pdf password anyway??

[TysonLPrice]

Well - what you show in post #8 seems safe enough.

What is the web service that is running that is asking for the pdf password anyway??

I believe they are word documents created in Office 2010 and saved as a pdf. During the save you have the option of password protecting it. Then I think it is just dropped in the folder. I can double check that.

[namrekka]

An option could be email.
A client is requesting via the site. Email address is known by the server (valid customer) and the pdf is send via email.

[Niya]

How come no one suggested an FTP server ? Its quick and dirty and can also be password protected. If you know exactly what you're doing it can take like 10 minutes to setup an FTP server.

[TysonLPrice]

How come no one suggested an FTP server ? Its quick and dirty and can also be password protected. If you know exactly what you're doing it can take like 10 minutes to setup an FTP server.

Well it wasn't a matter of looking at alternatives from my perspective. The decision here was made and I was just concerned about it ftom a security standpoint. I think from that perspective it is safe. I'm friendly with the person that installed it and I can ask about FTP. I guessing the answer will be what he did was already set up.