Safest way to transfer a document w/ sensitive info to a client online?

Report · Apr 24, 2019

This one is a little off-topic but still web-related : I'm looking to transfer scanned copies of sensitive documents via web. So they're images of documents, rather than actual text documents (in other words, without OCR, you can't guess the contents). I'll likely use a PDF shell to bind the JPGs together in order.

First, I thought to do it via my web server this way :

Scan and bind the pages into a PDF file
Zip the resulting PDF file up w/ password protection
Create a directory on my web server w/ password protection via .htaccess
Place the pw-protected ZIP file there for the client to pick up
Delete the ZIP file from the server when pickup is made (appx. 24-48h later)

My thinking was that should someone ever care enough to want to hack their way into this directory, they'll probably succeed (everyone eventually does, right?) but there will be nothing there 90% of the time. And if they should make it through during the 24-48h when something actually will, those docs will be zipped under a 2nd level of pw-protection. While I'm assuming there must be a million tools out there right now to crack open a protected ZIP, I was thinking that it would take a rather extraordinary set of circumstances to lead to an actual document breach.

But am I being naive about that?

A friend of mine working in I.T. sure seems to believe so. Said it's almost impossible to protect anything that's been uploaded to a web server, so he suggested I go with a pw-protected ZIP sent via encrypted email instead. He suggested that the minute I upload anything on my web server, the host will likely already have made its own copy of it (just because they can) and they'll have it long after I delete it from the server. I'm not someone who's ever been very comfortable uploading to clouds when it comes to personal IRL stuff, so I'm pretty easy to scare in this regard.

When I asked if there could be issues with HIS proposed method -- such as the clients not being able to decrypt the email on the other end -- he hesitated. So I'm thinking that solution isn't as viable as he's suggesting it is.

I realize the battle for internet privacy is ongoing and never ending… with new advancements being made on both sides every year... but I'm not looking for 100% full-proof as much as the safest bet at the moment.

Thanks!

Report · Apr 24, 2019

See this article for more ideas.

how-can-i-securely-send-sensitive-tax-docs-to-my-tax-preparer

Nancy O'Shea— Product User, Community Expert & Moderator

Report · Apr 24, 2019

https://forums.adobe.com/people/Nancy+OShea wrote
See this article for more ideas.
how-can-i-securely-send-sensitive-tax-docs-to-my-tax-preparer

Good to know to avoid email under any circumstance; but I have a question about this part :

Share your documents using an encrypted file-sharing service. A lot of file-sharing services offer some sort of encrypted transmission for file sharing. One of those is Dropbox.

Is pw-protecting a ZIP file + using Dropbox really all that secure, though? At the very least, would it not be safer to cut the middle-man and deliver the archive via private https link to my own secure website (especially if I will manually delete the only known copy of it on the internet within 48h)? I was originally worried about my web host cloning all its clients' files as they are uploading them (just because they could), but feels like trusting Dropbox would require an even greater leap of faith. (But maybe it's just me.)

Report · Apr 25, 2019

If the recipient uses an email client that works with any encryption protocol (like PGP), and has a public key available in any of the standard PKIs, there is no reason to NOT use email to send documents that contain sensitive information.

And I've never been a fan of online document/file repositories, but most especially DropBox. There are many documented cases of security vulnerabilities associated with DropBox, and I deleted my account over a year ago because of them.

To be honest, there is no 100% bullet-proof method of transporting digital files that contain sensitive information, short of physically handing them from one person to another (ie, no middle man), but there are ways to make it so difficult for malicious actors that it won't be worth their time/effort. Just do your research.

V/r,

^ _ ^

Report · Apr 25, 2019

WolfShade wrote
If the recipient uses an email client that works with any encryption protocol (like PGP), and has a public key available in any of the standard PKIs, there is no reason to NOT use email to send documents that contain sensitive information.

Too many if's, there, I'm afraid. We don't know what specialty tools the end client has available to them or not. So email has been crossed out as an option.

And I've never been a fan of online document/file repositories, but most especially DropBox. There are many documented cases of security vulnerabilities associated with DropBox, and I deleted my account over a year ago because of them.

Agreed, I'm not sure why anyone would trust a 3rd party over their own secure web server. Still waiting for Nancy to address that part.

To be honest, there is no 100% bullet-proof method of transporting digital files that contain sensitive information, short of physically handing them from one person to another (ie, no middle man), but there are ways to make it so difficult for malicious actors that it won't be worth their time/effort.

No one asked for 100% bullet-proof. In fact, I went out of my way to specifically state that I wasn't when I wrote "I'm not looking for 100% full-proof" right there in the OP. Do you need me to re-explain what I AM looking for?

Just do your research.

That's what I thought I was doing here, sport. Don't take this the wrong way, but you'd be more helpful if you actually took the time to read the threads you're responding to.

Probably going to place a pw-protected ZIP on my own secure web server in a htaccess-protected folder, and delete the ZIP within 48h (immediately after pickup confirmation). I don't see how email or dropbox is safer than that, but I'm always open to new arguments.

Report · Apr 26, 2019

https://forums.adobe.com/people/Under+S. wrote
No one asked for 100% bullet-proof. In fact, I went out of my way to specifically state that I wasn't when I wrote "I'm not looking for 100% full-proof" right there in the OP. Do you need me to re-explain what I AM looking for?
Just do your research.
That's what I thought I was doing here, sport. Don't take this the wrong way, but you'd be more helpful if you actually took the time to read the threads you're responding to.

Okay.. then I just won't offer any suggestions to any questions you ask in the future. Have fun.

Report · Apr 27, 2019

WolfShade wrote
Okay.. then I just won't offer any suggestions to any questions you ask in the future. Have fun.

Not sure what you were hoping to accomplish by doubling down on being a jerk when called out for kinda acting like one (dishing out bad advice after only half-reading the OP) but if you tell me this is the last I'm going to read from you, then consider us both relieved.

And that goes for Osgood too for co-signing your pettiness.

Report · Apr 27, 2019

Sorry to see the topic degenerating. Time to lock.

Wappler, the only real Dreamweaver alternative.