SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot mcd's Avatar
    Join Date
    Dec 2004
    Location
    Caldwell, NJ
    Posts
    111
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How secure is a PDF online?

    A customer I work with just posted a tax form online for me to access. Better late than never I guess. Anyway, the form is a PDF and it's just in a random directory on their website. I don't have to log in to access it, there's no https (just http) in the URL, and while the PDF file name is a random jumble of letter and numbers, this still seems sort of less than secure to me. All I had to do to access the form was click a link in an email. It linked straight to the PDF.

    Before I bring it up with the customer, am I right in my concern? They have potentially thousands of these forms online in the same way, complete with people's SSNs, names, addresses, etc.

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,296
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    As soon a there's a link to the file somewhere, there's the potential that Google will pick it up, especially if the email has something to do with GMail. I've seen people get a big shock with this sort of thing—sensitive data found by Google and indexed. You can't really trust people not to share a link to a file. It just happens, so chances are those PDFs will find their way into the Google index, if they haven't already.

    You can do a few things, like prevent search engines from linking directly to .pdf files, but still, it's not a real solution.

  3. #3
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,226
    Mentioned
    194 Post(s)
    Tagged
    2 Thread(s)
    There's a saying something like "security through obscurity is no security".

    IMHO it would be wise to not even touch other's personal information. But if must, then several layers of security should be used.

    Maybe better on his own machine and sent as attachments, but if online at least keep the files outside of the web root
    One or more name/password protections in place
    Put the files up as late as possible and take them down as soon as possible

    Edit:

    If he's a hard sell, ask how happy he'd be if his financial instition's website didn't use https and anyone could access his information.
    Ask if he's prepared to be sued for not taking "due diligence" in the event of identity theft.

  4. #4
    SitePoint Zealot mcd's Avatar
    Join Date
    Dec 2004
    Location
    Caldwell, NJ
    Posts
    111
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the info, guys. I was afraid that my suspicions about the security of these forms was right.

    Hopefully I can get the customer to take some action in securing these before they have a data breach.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •