Security Concept re: SuperContainer links

[lgstephen]

Hello all,

I want to use SuperContainer along with Instant Web Publishing and am concerned about the security of the data hosted on SuperContainer. My initial plan is that an email will go out to a remote IWP user alerting them to log in and look at a file. The user would then navigate to our public website, log in via a standard FileMaker account through IWP, and be able to view a few records with SuperContainer web viewers showing the files we have uploaded for them.

However, the data that would be hosted on SuperContainer is highly confidential stuff. Could anyone talk to me in general about why SuperContainer is safe or unsafe for this purpose? We are using SuperContainer hosting from the mothership... aka 360Works ... and it has been working great so far.

My understanding is that ANYONE with the exact SuperContainer reference link can access the file. So, I've built my SuperContainer references/links with huge long random strings (using UUID function), so no one would be able to guess another file's directory. This seems to add a layer of security that would be very hard to get around.

However, this still makes me nervous! Again, anyone with that link -- even if they don't log in to FM IWP -- is able to get at the file. It makes me nervous that somehow Google or another search engine could somehow find it and we would be in big trouble. Is there any additional layer of security I could use with SuperContainer that I am overlooking?

(The login/pass system used by SuperContainer seems like it would be an option, but since I would have to be using the same login/pass for all accounts, I don't see how this is any more secure than just having VERY random links...)

Thank you, thank you, thank you in advance!

-Stephen

[Smef]

I think this is an issue you and I spoke about on the phone a few minutes ago, but I'll cover what we talked about in brief here for other users' benefit.

1) Use a UUID, which essentially works as a password to access each individual file.

They can actually be more secure than using a simple organization system and a single username and password that you give to all users, since using a UUID is like using a different username and password for every file. User's can't access the records unless they know the "key" (the UUID in this case) similar to how they wouldn't be able to access it without a username and password. Like a username and password you are giving it to them because you trust them with the information. Once they know the information to access the file they can access it and there isn't much of a way to stop them from accessing it again without changing the information, similar to giving someone a username and password to your filemaker database. It's valid and they can come back and access it again until you change their "key."

2) You can deploy SuperContainer with tomcat and use an Open Directory or Active Directory authentication server, which you could use as external authentication for both SuperContainer and FileMaker Server.

[jrie818]

What about those software that claim it can download the whole website into a drive? Like HTTrack (www.httrack.com) for example. I tried testing it and tried to download our SSL secured FMS and directly pointing at the https://ourdomain.com/SuperContainer/Files and it downloaded some stuff like the index.html, images folder, hts-cache folder, supercontainer.js etc but not the actual RAW file.

What is the reason why it didn't download the RAW files? Could it be that those software rely on parts of the website that has links to a specific files? In other words the files or paths that are not linked somewhere on the website (html?) will not be included in the download?

Thank you in advance

[Smef]

SuperContainer is not navigable like a regular website is, which is why I'm guessing the downloader was not able to get your documents.

Also, SSL just means that your traffic is encrypted and can't be easily intercepted/decoded by a packet sniffer. SSL does not affect access to any files or pages on a website.

[jrie818]

SuperContainer is not navigable like a regular website is, which is why I'm guessing the downloader was not able to get your documents.

Also, SSL just means that your traffic is encrypted and can't be easily intercepted/decoded by a packet sniffer. SSL does not affect access to any files or pages on a website.

Thank you!!