Possible security risks regarding attachments

Our techies have raised concerns about how the URL for attachments is published in the new "download" window.  I.e. they don't like making some of the content server URLs publicly available.  BTW, virtually all courses are served from the same content server (for our commercial LMS), therefore courses can be accessed by thousands of people.

Maybe this is just the way each browser handles it by default, and can't be changed?  I don't know.  But their fear is that someone could start sniffing for files ... or use something like Fiddler.  

TBH, I'm not sure how much validity there is to all all this, but I said I'd raise it anyway.  Any ideas?  Can the URL be hidden?  Is anyone else having to get around this?


Thanks

PS Some of our courses have links within them that launch downloadable documents too.  However, these documents can be hosted totally separately - and away from any other content.

5 Replies
Brian Batt

Unfortunately, you're not going to be able to hide the URL.  In fact, if the end-user really wanted to get to the files, they could use an HTTP trace log program to get the URL as well.

Keep in mind that your IT group can block access to the folder using an .htaccess file & this method:

http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/#sec3

Using the method above will prevent users from browsing the directory, but will still allow the user to directly access the file.

James Brown

Not sure if you could spoof the DNS address or not. Anyway if you are that worried about the doc, place it behind a secure login or only make it available upon request. I'm with Steve. I really wouldn't worry about this as long as your website has the proper security restrictions in place to stop unwanted sniffing. If you are worried about someone hacking your network, have your website hosted by someone else and let them worry about hackers. I know for a long time we hosted our own website but we finally outsourced it to a company and when we did host our site it was not connected to our main network just encase someone did get in, they were only going to be able to play with the webserver. I do recall being hacked a couple times, but the only thing they were able to do was change my index.html. I corrected that by renaming my index.html to something else which resolved that issue. Plus I added a lot more web security to our website to protect against SQL injection attacks.

Again, sometimes your it staff can raise a flag when really there is nothing to be worried about if they did their job to begin with.