Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding file share option #8

Closed
lhari84 opened this issue Nov 12, 2019 · 3 comments
Closed

Adding file share option #8

lhari84 opened this issue Nov 12, 2019 · 3 comments
Assignees

Comments

@lhari84
Copy link

@lhari84 lhari84 commented Nov 12, 2019

Hi,

Would it be possible to add a one-time file sharing option too?
I've been searching the web for at least one hour but couldn't find anything for my needs.
I want to avoid to install a big, moderated solution like Nextcloud to get just this one functionality...

My idea:

  1. Adding an additional option to drag & drop files needed to be shared into browser (into a specific area, described by "drop files you want to share here", for example)
  2. URLs for downloading these files are generated and added to the secret message afterward the upload is done, so recipient can download the files after opening the secret message.
  3. Best with expiration, so the shared file is removed even from server after 1 week for example (to improve security and save space)

Known and possible limitations:

  1. Of course files cannot be included in encrypted URL of secret message and must be uploaded to server's file system, but I guess there are some tricks to hide them from non-authorized users (disabled directory listing, crypted URLs,...)
  2. If it's easier to add just 1 file instead of multiple ones, it would be fine too. Better than nothing :)
  3. I know php limits file uploads by default. But I guess it's possible to increase quite easily. My goal is to allow uploads up to 500 MB or even 1 GB.

If you don't want to implement this function, as it's lots of work for sure, maybe you have suggestions about another easy tool I could use?

Many thanks in advance!

@yahesh

This comment has been minimized.

Copy link
Member

@yahesh yahesh commented Nov 13, 2019

@lhari84 Unfortunately, sharing files is not what this application is primarily intended for. The idea of the application is that the storage has not to be highly available (hence a database of mere URL fingerprints) which would drastically change if it were to store megabytes and gigabytes of data.

However, you can of course use this application to provide part of the required security. You could, for example:

  • upload a file to an application
  • generate a symmetric encryption key
  • encrypt the uploaded symmetrically with the generated key
  • push the encrypted file to a cloud storage provider of your choice
  • store the pointer to the encrypted cloud-stored file plus the symmetrical key in a secret sharing link and provide that link to the recipient
  • the recipient could open the secret sharing link with an application which would retrieve the secret, download the encrypted file, decrypt the file with the symmetrical key and provide the decrypted file to the user
  • Optional: To prevent someone else from reading the link below the file sharing you can additionally encrypt the contents.

So much for the theory, here comes the practical example: I've written a small encrypted file-sharing web application that uses Dropbox and Shared-Secrets as the basis. The upload works as follows:

  • upload the file to the application
  • generate a symmetric key
  • encrypt the file
  • upload the file to Dropbox
  • put the random Dropbox file name, the symmetric key and the original final name in a string
  • additionally encrypt that string with a fixed encryption password
  • create a secret sharing link from that encrypted string

The download works as follows:

  • retrieve the encrypted string
  • decrypt that string with the fixed encryption password
  • split the string into the random Dropbox file name, the symmetric key and the original file name
  • download the file from Dropbox
  • decrypt the file
  • provide the decrypted file as a download

The application reuses the lib/shared-secrets.def.php and lib/shared-secrets.exec.php files of the Shared-Secrets application. You can find the upload and download scripts here as Gists:

This should be enough input to create something on your own (I guess). As mentioned, this is nothing that would be fitting to be implemented in this application. I'll therefore mark this ticket as wontfix.

@yahesh yahesh closed this Nov 13, 2019
@yahesh yahesh self-assigned this Nov 13, 2019
@lhari84

This comment has been minimized.

Copy link
Author

@lhari84 lhari84 commented Nov 14, 2019

@yahesh Ok, thanks for the effort. Unfortunately Dropbox is no option for my purpose. As I understand this solution would require that everbody who wants to share a file MUST have a Dropbox account.
I'll continue searching a solution that allows to upload files to the secret-hosting server and share them once and securely.

@yahesh

This comment has been minimized.

Copy link
Member

@yahesh yahesh commented Nov 14, 2019

@lhari84 No, only the person/organization providing the service would need a Dropbox account in this implementation. It only serves as a backend storage. You could also implement other backend storages like S3 or store the files locally on the server of the web application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.