[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[somewhat OT] The age-old problem of securely allowing anonymous file uploads

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: [somewhat OT] The age-old problem of securely allowing anonymous file uploads
From: Damon McMahon <damon_(_dot_)_mcmahon_(_at_)_gmail_(_dot_)_com>
Date: Wed, 10 Nov 2004 00:04:35 +1030
Reply-to: Damon McMahon <damon_(_dot_)_mcmahon_(_at_)_gmail_(_dot_)_com>

Greetings,

I'm hoping someone can impart their wisdom on my dilemma here. I need
to allow uploads of largish files by random (but not anonymous) users
to my OpenBSD 3.5 server. These are files larger than most mail
servers allow (> 3MB) but not absurdly large (generally < 10 MB). As
it's relatively few clients I'm happy to arrange temporary accounts
(usernames, passwords) for them for this to happen.

The key properties for the solution are as follows:

1. The protocol needs to be native or at the very least widely
deployed on the Windows and MacOS machines the clients of my design &
publishing business use.

2. The solution needs to be as simple to maintain and secure as
possible (obviously).

I've thought of many potential solutions, but they all have their downsides:

1. secure ftp
PROS: more secure than most
CONS: clients are not widely deployed

2. authenticated ftp
PROS: client widely deployed (MSIE etc)
CONS: plain text passwords *shivers*

3. anonymous ftp
PROS: client widely deployed (MSIE etc)
CONS: unauthenticated uploads *shivers again*

4. http file upload
PROS: every web browser under the sun can do it
CONS: not really what Apache is designed for

Any thoughts will be much appreciated.

Prev by Date: 0 to NULL in sys/net/if_tun.c
Next by Date: Re: SCSI Error
Previous by thread: 0 to NULL in sys/net/if_tun.c
Next by thread: Re: [somewhat OT] The age-old problem of securely allowing anonymous file uploads
Index(es):
- Date
- Thread

Visit your host, monkey.org