Results 1 to 4 of 4
  1. #1
    Star Lounger
    Join Date
    Sep 2002
    Location
    Melbourne, Victoria, Australia
    Posts
    76
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Post

    Hi there,

    I have had someone help me design a new website for my medical transcription service. Go Daddy is the host. I have paid extra for a SSL turbo certificate, that will add https to my site (the certificate has been paid for and ordered, but will take up to 72 hours before it is applied to the site).

    I am endeavouring to add a File Upload Box to the site. This will require clients to log in with a name and password, so they may upload dictation audio files.

    As the nature of these is highly confidential I require absolute security, such that the files cannot be read by unintended parties (hackers, etc).

    I'm on very unfamiliar ground both in terms of website development and the ability to know with 100% certainty whether the SSL turbo certificate (up to 256 bit encryption) will ensure the total privacy of any files uploaded to my site.

    From discussions thus far with support staff at Go Daddy it would appear a shared host site (i.e. Go Daddy) is not considered HIPAA compliant. Go Daddy also advised that SSL only scrambles information when a client logs in, i.e. scrambles their name and password, but the contents of the files they upload are never encrypted, they merely reside on the server. All of the encryption does is "protect" unauthorised access to the files via the "https" SSL security.

    Can anyone advise how I can create a fully encrypted file upload box on my website, such that any files a client uploads are encrypted from the moment they are browsed for on the client's computer and at all times thereafter (until I log into my site as the administrator and download them to my local computer).

    I am also looking into Sendthisfile enterprise package which claims to provide what I'm after. From what I can tell, though, this is only SSL, which I should already have at my site once the certificate is processed.

    Any help greatly appreciated.

    Cheers,

    ozgal

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by ozgal View Post
    I'm on very unfamiliar ground both in terms of website development and the ability to know with 100% certainty whether the SSL turbo certificate (up to 256 bit encryption) will ensure the total privacy of any files uploaded to my site.
    In a word, No. An SSL connection between the user's browser and your server encrypts the file in transmission. However, on both ends, the file is decrypted back to its original form. Unless you take extra steps to protect it, anyone who gains access to your folders on the server can read those files.

    Quote Originally Posted by ozgal View Post
    Can anyone advise how I can create a fully encrypted file upload box on my website, such that any files a client uploads are encrypted from the moment they are browsed for on the client's computer and at all times thereafter (until I log into my site as the administrator and download them to my local computer).
    Hmmm... If there is a Flash or Java application that does this as part of the file upload, I haven't heard of it, but it might exist.

    There are several different public key encryption solutions that you could consider using. In general, these work by both you and your client registering for a pair of encryption keys: a public key that each shares with the other party, and a private key each keeps to herself. These are mathematically related in such a way that customer's private key + your public key will encrypt the file so that it can only be opened by customer with that combination or by you with customer's public key + your private key. The file would be encrypted by the customer prior to upload, and would be protected until you decrypt it on your PC.

    While this may sound like a lot of work, to me it sounds like way less work that trying to build the encryption into your web application. The only "gap" is if the customer forgets to encrypt the file. That would be bad.

  3. #3
    Star Lounger
    Join Date
    Sep 2002
    Location
    Melbourne, Victoria, Australia
    Posts
    76
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi Jeff (hope you don't mind the shortening of Jefferson),

    Thanks so much for your reply. Darn, there not being a simple way to implement an encrypted upload file box on my website. I have provided current clients with encryption software but was hoping to streamline the process somewhat with my hoped for solution.

    As a workaround, I wonder if there might be a way to create an encrypted folder that only I know the password to, on a webserver? In this way, the files would be protected by SSL during upload/download, and in theory at least, would be protected once they were copied into the "encrypted folder".

    Of course, not sure if this is possible either...I am always trying to reinvent the wheel!

    Thanks again for your help - always good to throw ideas around.

    Cheers,

    ozgal

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by ozgal View Post
    As a workaround, I wonder if there might be a way to create an encrypted folder that only I know the password to, on a webserver? In this way, the files would be protected by SSL during upload/download, and in theory at least, would be protected once they were copied into the "encrypted folder".
    Maybe. This is a Linux-based server? The Lounge historically has not had a lot of Linux users, but perhaps you'll get some recommendations on other places to ask/check.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •