Sending Passwords and Other Info Securely
You know it's not at all secure to send passwords and other confidential information by email. Yet, sometimes it may seem you have no choice.
A person might think that doing it just once won't hurt, that it's a small enough chance to take. Later, there's another situation where it seems warranted. And then once more…
The thing is, even that first email might have been intercepted. You just won't know about it until, perhaps, you or your client suffers a break in.
If you have access to the Sensitive Information Transfer Service, which is a WebSite's Secret offering, it's easy to provide confidential information to others.
If you don't have that available, the PHP-page method accompanying this article may help. It's a system that lets information be loaded into a browser once, and that's it. After it's loaded once, it's no longer available.
The PHP page can help transfer confidential information to others in a way that's more secure than using email, provided these two items are true:
-
The PHP page deletes itself. (I'll show you how to test for this and, if it doesn't delete itself, a trick that might make it do so.)
-
The PHP page is used only on a secure server — an SSL certificate installed for the domain with secure https://... URLs.
How it Works
The PHP page is loaded into the browser to view the message. (A secure https:// URL is used so the data is encrypted during transfer between server and browser.)
When the page is loaded, it's also deleted from the server.
The page can't be loaded a second time because the page no longer exists.
The Code
The PHP page consists of two or more lines.
One of the lines, the last line in the PHP page, is a line of PHP code. The rest of the lines are composed of the information to be transferred securely.
Here is an example.
INFORMATION HERE <?php unlink($_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF']); ?>
Replace INFORMATION HERE with the content to deliver to the browser.
The last line of the above code is intended to automatically delete the PHP page from the server when it's accessed via HTTPS with a browser. (Access via HTTP or with an internet robot/spider would also trigger the deletion.) See the Testing section of this article for testing that it actually does get deleted.
The lines above the last line can be anything a web page can contain, including images and videos. Use HTML markup as appropriate.
Here's another example.
<p> Hi, here's the image. </p> <img src="https://example.com/image.jpg"> <?php unlink($_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF']); ?>
Upload the PHP page to your server and make a note of its URL.
Testing
To test if PHP pages containing the last line of code in the above examples do indeed delete themselves when they are accessed, type the PHP page URL into your browser.
When you do that, the content above the PHP code on the last line of the PHP page is sent to your browser.
Try reloading the page. If you get a 404, the page was deleted. Otherwise, it was not.
If the PHP page didn't self-delete:
-
Give the PHP page file on the server 777 permissions.
-
Load the page with your browser.
-
Reload the page.
If you got a 404 at the last step, you now know that you'll need to give the PHP page files 777 permissions so they can delete themselves when accessed. Otherwise, if the PHP page won't load even once or if it reloaded successfully the second time, then this system won't work on your server.
When the test is passed, you know you can use this system to transfer confidential data to others.
Important Caveats
If you provide the PHP page URL to someone via email or other intercept-able medium, urge the person to use the URL as soon as possible. The longer it's on the server, the longer the information is vulnerable.
While the file is sitting on the server, it's not protected.
Use a different PHP page file name for every use. (Previously-used URLs may have been intercepted by hackers or have been otherwise compromised.)
Don't view the PHP page yourself if it's intended for someone else. Your viewing will delete the page. If you must check to see whether or not the file still exists, do so with SFTP or other server file name listing software.
Using It
The PHP page "view once and self-delete" method can be used to transfer information in a more secure manner than using email or other unsecure methods.
Create the PHP page, upload it to your server, and give the HTTPS URL of the page to the intended recipient. When they access the page, the PHP deletion code runs to delete the file.
(This article first appeared in Possibilities newsletter.)
Will Bontrager