can i store files on my website and make them secure?

[nomadic]

Hi all, i have been playing around with my website and updating it and thought that it might be a good idea to create a 'hidden' folder and keep important documents in there.

I was thinking it was a good way of keeping important documents at hand such as scans of my passport, drivers licence, qualifications, business spreadsheets, personal numbers etc.

So i had a play around with it and uploaded some files into this folder:

http://urbanmakeover.com/stuff/

Obviously no-one knows they're there unless they think to look for a directory called "stuff" ...

But if i wanted them to be extra secure and not take the chance that someone could find them, is there any way to make it password access only? You know like those pop up windows that ask for a username and password?

Or is there a better way?

thanks

 

[ianvestor]

The simplest way (if your host allows it or if you are running your own server) is with an .htaccess file and .htpasswd file.

Use a text editor to create a file called .htaccess (that's a dot then htaccess) and enter the following text:

AuthName "My secure files"
AuthType Basic
AuthUserFile .htpasswd
Require valid-user

Then create a file called .htpasswd and enter the following text into it:

nomadic:mypassword

(obviously choose a secret password!)

Save both files and upload them to your server in the directory you want to be protected and you're done.

Let me know how you go...

 

[nomadic]

thanks investor. I just tried to create this file.... is it a htm file?

What type of extension should these .htaccess and .htpasswd files have?

thanks

 

[ianvestor]

thanks investor. I just tried to create this file.... is it a htm file?

What type of extension should these .htaccess and .htpasswd files have?

thanks

Those are the *exact* file names... in other words, 'htaccess' is the extension.

However I just noticed you have cpanel on your server:

http://urbanmakeover.com/cpanel

You should be able to log in to that with the same login and pass as when you use FTP.

In Cpanel, it can do the .htaccess files for you automatically. Have a look around in there and I'll check back here with more info in a sec...

 

[ianvestor]

This is from the cpanel user guide:

1 To access the Directory Access Menu, click on the icon above the words Password Protect Directories on the main screen of your cPanel interface.

2 Click on the name of the directory that you wish to protect. (You can navigate to a directory by clicking on the icon next to it).

3 When the new screen appears, click on the box next to the icon to require a password to access the directory.

4 Type the name that you wish to appear in the login box for the directory in the blank field next to Protected Resource Name:

5 Place the name of the user you wish to be able to access the directory in the blank field next to Username:

6 Place the password for that user in the blank field next to Password: and click on Add/Modify authorized user.

7 Repeat steps 5 and 6 as necessary to add more users.

 

[nomadic]

Those are the *exact* file names... in other words, 'htaccess' is the extension.

However I just noticed you have cpanel on your server:

http://urbanmakeover.com/cpanel

You should be able to log in to that with the same login and pass as when you use FTP.

In Cpanel, it can do the .htaccess files for you automatically. Have a look around in there and I'll check back here with more info in a sec...

Thanks investor. So do i need to give the file a name as well? I tried naming them .htaccess and .htpasswd but then they become one of those icons that has no associated software to open it. Ok, after uploading them as they were, it's now saying error message.

EDIT: i just saw your other reply. Thanks investor, i'll have a play in the cpanel.

 

[ianvestor]

Thanks investor. So do i need to give the file a name as well? I tried naming them .htaccess and .htpasswd but then they become one of those icons that has no associated software to open it. Ok, after uploading them as they were, it's now saying error message.

EDIT: i just saw your other reply. Thanks investor, i'll have a play in the cpanel.

Yeah cpanel is even easier, no fiddling with file names at all.

But if you really have to do it the manual way, you could try naming it htaccess.txt on your pc, then rename it to .htaccess after you upload it (Your server won't have a problem with the file name, it's usually just Windows PCs that don't like it starting with a dot).

 

[nomadic]

This is from the cpanel user guide:

Thanks mate, you're a champ! It seems to be working now and i now have to log in with a username and password. There must be a heap of stuff in that cpanel that i'm not using or haven't activated. I notice there's also a setting to set up an FTP account. Is this just another way of doing the same thing.... for access to files? Anyway, i thought this was better as i can create folders for different people and give them usernames & passwords to log into their own folders.
Thanks again!

 

[nomadic]

something weird happening though... for some reason i can access the folder using this link:

http://urbanmakeover.com/stuff/

...but i cannot access the folder using this link:

www.urbanmakeover.com/stuff/

Maybe it takes time for the server to do whatever it does... i'll try again later.

 

[ianvestor]

Not sure what that's about.

FTP is for download/uploading files to your server. I thought that's how you were originally doing things. (Maybe it is).

 

[mja]

Urgh. Security through obscurity. That's bad, m'kay.

Just because the folder name is hard to guess doesn't make it unguessable. What could happen is that your provider somehow loses your "index.htm" file - the file that provides access to the homepage of your website - then when accessed the web server may then show a list of folders in your website... including your "hidden" folder!

A password protected folder is a good idea.

Having your files encrypted is going one step further.

There has to be a balance between convenience and security.

 

[nomadic]

ok, they're both working now, i just had to clear my cache.

mja, that's what i was thinking, what if i named it something obscure like "purplemonkey", would that stop people finding it? Even if it did, i still believe google would still find it?

So if i had a scan of my passport and named it "passport.jpg" and if someone did a google for "password", it could show up. And the only way to not have those files show up in search engines is to password protect the folder? Is this the same thing as encrypting or is that another level of security? Thanks.

 

[ianvestor]

ok, they're both working now, i just had to clear my cache.

mja, that's what i was thinking, what if i named it something obscure like "purplemonkey", would that stop people finding it? Even if it did, i still believe google would still find it?

So if i had a scan of my passport and named it "passport.jpg" and if someone did a google for "password", it could show up. And the only way to not have those files show up in search engines is to password protect the folder? Is this the same thing as encrypting or is that another level of security? Thanks.

You probably don't need to name it something obscure now that it's password-protected.

I think mja was just referring to your very first suggestion, of having a hard-to-guess directory name, without a password.

Having said that, make sure your password is hard to guess!

Encryption would be a whole 'nother level of security. You would encrypt the files (scramble their contents) with a program like PGP before putting them on your server. That way if anyone did ever guess your password or gain access to your files, they would be completely useless unless the attacker also had the password or key they needed to unencrypt the files after downloading them.

The measures you take to secure your files really depends on how important it is to you that noone else can view them. (eg. You would probably take more care with documents that could be used by your competition against you - in fact I wouldn't put documents like that online at all).

 

[ianvestor]

such as scans of my passport, drivers licence, qualifications, business spreadsheets, personal numbers etc.

I just read this part of your original post again, and I would advise not putting that stuff online at all. Is there a reason you need it to be on the net?

Things like scans of passport and drivers licence, I would definately encrypt if they have to be online. The methods of password protection we have covered here aren't fool-proof and there are a few skilled people (teens) out there who could most likely gain access anyway.

http://www.pgp.com

 

[nomadic]

Thanks again investor. In the past i have emailed important documents to myself such as passport scans and spreadsheets. This way i can easily download these files if i need them. With a document that gets updated (like a spreadsheet), i download it, edit it, save it and then email it back to myself.... while making sure that i then delete the old file so i that don't get confused about which one has the up to date info.

But with this setup of having a secret folder, i can download the spreadsheet and edit it, but i can't upload it again.... or can i? I suspect the FTP thingy has something to do with it. I want to be able to do this stuff from internet cafes o'seas.

 

[AlmostBob]

No you cannot make it secure
The best you can do without an encryption layer is make it obscure. Difficult to find

• Take the hidden folder out of the html tree, like your cgi-bin folder it does not need to be there, most spiders will not look outside of the html tree without <a href=>. pointing to the folder, so use <a onclick='open(href,target,spec-list,,,,,)'; > instead
• Chmod the folder and the files to be web unreadable, and have a password protected script to access the folder, the php or asp processor runs on the server so can access web locked files
• encrypt the .pdf xls or .doc files with a different password
• Set robots.txt to ignore the folder
• set .htaccess to deny from all
• create .htpassword from one of the password utility programs, so that the password and username are not in clear text.

If you are using your laptop in an internet cafe, security is better, and you can use your ftp program to download alter and upload the files with relative impunity using SSL.

access from internet cafes etc using their pc, by download & upload of files for alteration is nuts. there is no way to prevent any other person in range, range varies from a few feet to a few thousand feet, from recording any and all information that they desire, your passwords would be theirs, the htt protocol defines how information is sent, so packet sniffers can find it easily.

Of course if the data is convenient rather than secret, it is a lesser worry

It is very simple to make the changes online /
keep a log of all changes so they can be undone without deleting any files /
and-or keep version listed filenames/
and update the display of information in a meaningful manner.
SQL/ASP SQL/PHP are designed for just that.

Serverside applications will do what you are looking for, including asp/php access to .xls .pdf or .doc files, and there would never be a copy of your data files stored on any unsecure pc.

This forum runs on sql/php, non-public info is made very hard to extract, possibly not impossible, but defintely not worth the effort

 

[ianvestor]

non-public info (on this forum) is made very hard to extract, possibly not impossible, but defintely not worth the effort

That's the thing, it might be worth it for someone if they were going to get a scan of your passport and drivers license.

 

[aaarghhh]

The methods of password protection we have covered here aren't fool-proof and there are a few skilled people (teens) out there who could most likely gain access anyway.
http://www.pgp.com

brute force cracking.....little mongrels......

 

[nomadic]

No you cannot make it secure
The best you can do without an encryption layer is make it obscure. Difficult to find

• Take the hidden folder out of the html tree, like your cgi-bin folder it does not need to be there, most spiders will not look outside of the html tree without <a href=>. pointing to the folder, so use <a onclick='open(href,target,spec-list,,,,,)'; > instead

• 
  
  Thanks for that awesome reply AlmostBob, i was hoping you'd drop by because i knew you were very IT savvy with this sort of thing, plus ianvestor has also been very helpful. I'm not very computer savvy and have been reading your instructions a few times trying to understand it! After awhile i hope i have the gist of it, but a few questions to clarify please......
  
  If i take the hidden folder out of the "public_html" tree, where do i put it? Or are you saying to delete it? To help my understanding, please confirm that i:
  
  - move the hidden folder up a level to the root as spiders generally don't look outside the "public_html" folder. Therefore it's better to have the folder somewhere where the search engine spiders generally don't look.
  - i also move the cgi-bin folder up a level to the root level.
  
  I only need to use <a onclick='open(href,target,spec-list,,,,,)'; > if i want the spiders to find a file outside of the "public_html" folder? So then i don't need to use it?
  
  

  [1]Chmod the folder and the files to be web unreadable, and have a password protected script to access the folder, the php or asp processor runs on the server so can access web locked files
  [2]encrypt the .pdf xls or .doc files with a different password
  [3]Set robots.txt to ignore the folder
  [4]set .htaccess to deny from all
  [5]create .htpassword from one of the password utility programs, so that the password and username are not in clear text.
  .

  
  Sorry, i'm not quite sure what you mean here. Although it sounds similar to ianvestor's plan to use those .htaccess and passwd files and it makes sense, i'm not sure how i'd go about it. I don't really understand this stuff so i will copy & paste your reply to a friend who may understand and can explain it better to me.... it's very hard with written instructions with too much back & forth.
  
  Anyway, but it sounds like it's not the best idea and potentially not very secure (yes i would be using the internet cafe's PC's, not my own laptop), plus a major hassle to set up. I think i can achieve the same thing by using the email method and emailing files to myself for saving and editing. I can also put the files i email myself in a password protected zip file for extra security .... but it's not like someone will go to that much effort.

 

[AlmostBob]

[/quote]

Thanks for that awesome reply AlmostBob, i was hoping you'd drop by because i knew you were very IT savvy with this sort of thing, plus ianvestor has also been very helpful. I'm not very computer savvy and have been reading your instructions a few times trying to understand it! After awhile i hope i have the gist of it, but a few questions to clarify please......

If i take the hidden folder out of the "public_html" tree, where do i put it? Or are you saying to delete it? To help my understanding, please confirm that i:

- move the hidden folder up a level to the root as spiders generally don't look outside the "public_html" folder. Therefore it's better to have the folder somewhere where the search engine spiders generally don't look.
- i also move the cgi-bin folder up a level to the root level.

Yes that is right for the hidden folder, the location of cgi-bin the cgi-bin folder is set in the apache config file, and should in almost every case already be outside the html tree, there are security issues with a fully accessible cgi-bin folder

I only need to use <a onclick='open(href,target,spec-list,,,,,)'; > if i want the spiders to find a file outside of the "public_html" folder? So then i don't need to use it?

a regular [url='url' ] text [/url] link will be followed by the spiders, even if it leads outside of the web tree, becuase the href is set, well behaved spiders will not follow links excluded by .htaccess or robots.txt files, not all are well behaved, and some are deliberatly malicious.
the onclick event, html 4.0 'common scripting events' is widely supported and because it is usually used to fire off a javascipt vbscript or other script page is not usually tracked by robots. so you can place for example an image/logo in the corner of the page that acts as a key to open the hidden page /images/checker.gif

Sorry, i'm not quite sure what you mean here. Although it sounds similar to ianvestor's plan to use those .htaccess and passwd files and it makes sense, i'm not sure how i'd go about it. I don't really understand this stuff so i will copy & paste your reply to a friend who may understand and can explain it better to me.... it's very hard with written instructions with too much back & forth.

Anyway, but it sounds like it's not the best idea and potentially not very secure (yes i would be using the internet cafe's PC's, not my own laptop), plus a major hassle to set up. I think i can achieve the same thing by using the email method and emailing files to myself for saving and editing. I can also put the files i email myself in a password protected zip file for extra security .... but it's not like someone will go to that much effort.

It is really NOT a good idea, and really NOT a good idea to use the internet cafe pcs to read anything you wish to be secure. Every email you read or send is saved in full on the local drive for as long as the person who configured the pc wants.