Data security issues

The fluff service has been designed to ensure the security of the user's password, and to make it difficult for an attacker to guess the URLs of files available for download.

However, like email, FTP and network file access to Windows and Unix file servers, this service is not suitable for the transfer of confidential information unless additional steps have been taken to encrypt it first. Please visit the University's Information Security site for more information.

While the generation of random URLs makes it very difficult to guess a valid URL, this does not prevent the email message containing the URL being intercepted. Again, the use of encrypted email works around this problem.

Information about the specific security decisions involved in the current version of fluff appears below. Most of these decisions were taken on the basis that this service is intended as an alternative to sending files by email, and that it was sufficient to provide something no less secure. The contents of an unencrypted email should be considered no more confidential than correspondence written on the back of a postcard.

The "log in" button transfers you to a secure (https) server on another system which validates your username and password, and (behind the scenes) issues a "token" which proves that you have been authenticated and the time that the authentication took place. The token is then passed back to the original server, again using https. (The use of https guarantees that the information transmitted is encrypted; this protects your username and password, and also the authentication token).

The token expires after 10 minutes. This effectively logs you out of fluff. (But note that the username/password check is done via the central SSO (Single Sign-On) service, which remembers that you are logged on for several hours. You need to log out of the SSO system to prevent being logged back on to fluff by just clicking on the logon link.)

The file upload takes place over an https connection. Again, this encrypts the data in transit.

The uploaded file is stored unencrypted on the web server. However, only a small number of system administrators have access to read the files on that system. (If what you are uploading includes sensitive or personal data, you must encrypt it before uploading it to fluff.)

The URL that is generated is random. This protects users from a brute-force attempt to guess the URLs of the files. Directory indexing is switched off so that users cannot simply look at the list of directories available via the web.

The URL returned to users is an https URL. This means that the download is performed over an encrypted channel.

The mail message that is sent with the download URL is sent in plain text. Fluff can send this message in encrypted format, using either PGP or S/MIME encryption. Setting this up currently requires intervention by the fluff administrator. If you wish to set this up, please mail the administrator.