We’re leaving soon on a month-long trip. My business website is hosted with 1and1.com, and I have 100 GBs of space to use (i.e. more than enough). I want to scan important documents and credit card numbers and sundry, and have it all on the site, accessible by links from an HTML page on my site that requires a login and offers a logout.
How do I do this? I’m very slightly handy when it comes to this stuff, but still, can anyone explain it to me like I’m a five-year-old?
EDIT: Specifically, I want to have the logout function so that if I access this page on a computer in an internet cafe no one can come along behind me and see or access what I was looking at.
Don’t do that unless you really know how. At a bare minimum you would need to be using secure HTTP, which means paying 1and1 more money, paying Verisign for an SSL certificate, and huge amounts of messing around.
The simple approaches like basic auth folders are fine for data you can afford to lose, but not for credit card numbers and the like.
Look into paying for a professional data vault with a web interface - Google can suggest a bunch.
Brendon, who stores all his important data in gmail
PS. You should assume that any internet cafe you go into is A. logging and spying on all your network traffic, and B. logging your keyboard strokes (and possibly monitor!). Paranoia is sensible here if you have valuable data. Perhaps you should just take your own laptop with a big disk?
.htaccess is not sufficient here. It doesn’t protect data on the wire, it provides no security against local intruders, and it is useless as soon as you type a password into a machine running a keylogger (eg, at an internet cafe).
[quote]and the one million NT$ question
what kind of log in offers protection against a keylogger[/quote]
When I log onto my internet banking site, it asks for three digits chosen from my security number, so that I never give away the whole number, and recording the three I give won’t work next time (unless it asks for the same ones, which is very unlikely).
There are other approaches where you use the mouse to identify yourself, or for real paranoids you can carry around a USB dongle with a private key on it. But the simplest and most effective solution is still to just take your own laptop and store data on there.
[quote=“Brendon”]Don’t do that unless you really know how. At a bare minimum you would need to be using secure HTTP, which means paying 1and1 more money, paying Verisign for an SSL certificate, and huge amounts of messing around.
The simple approaches like basic auth folders are fine for data you can afford to lose, but not for credit card numbers and the like.[/quote]
Solid advice.
I recommend using Gmail’s documents feature. Then, you can allow chosen others to view and/or edit them as you wish. It’s a good system, and probably totally secure.
I’d memorize the credit card numbers (or hide them among lots of other numbers) and upload the rest of the stuff (like passport copies, which are not that terribly secret) to a protected directory. With 1and1, you don’t have to write the htaccess file yourself, just set it up through the admin panel (click here for the FAQ). Many accounts also include a free SSL certificate (check your admin panel). This solution doesn’t give you an option to log out, though, and you’ll have to close the browser instead.
Thanks to everybody who responded for all of the great advice. Regarding this one:
I already know how to do this, and indeed have done it. But after you close the browser, couldn’t someone come along and get back in to the (ostensibly) private page you were on?
But the whole point of doing this is if our credit cards and everything get stolen. If that happened, the laptop with our private info would get stolen at the same time. I’m envisioning a worst case scenario where everything’s gone, after which we walk in to an internet cafe, access a private HTML page with vital info on it, print it out, and proceed to make a bunch of phone calls cancelling cards, etc.
[quote=“porcelainprincess”]Thanks to everybody who responded for all of the great advice. Regarding this one:
I already know how to do this, and indeed have done it. But after you close the browser, couldn’t someone come along and get back in to the (ostensibly) private page you were on?[/quote]
No. Username and password are only stored temporarily (to allow access to further protected pages without having to ask you for the credentials again) and are deleted as soon as you close the browser (unless you specifically instruct it to remember them, which in any case should not be an option on well configured PC in an internet cafe). Just try it for yourself.
Quite frankly, since what you want is a backup you’ll only access once in case of an emergency, I think there’s no need to worry about keylogging and two-factor-authorization and stuff like that. A protected directory with a unique username and password sounds like a perfectly good idea to me (you don’t really have to link to it from your homepage). 1and1 is a reputable company, their data center is top notch, they performed very well on all security tests I read and anyhow, if their admins really wanted to steal sensitive customer data they could surely find more interesting stuff than your CC numbers.
Ah, so the key here is that you definitely need to close the browser. Right? Because if you don’t, then the pages are easily accessed once again.
Erm…right?
Cause the thing is, I did an experiment just now. I copied the URL of the “secret page” that I accessed behind my username and password, opened up a new instance of Firefox, pasted the URL in the address bar, and voila–the page with all my private info was there for all to see.
EDIT: Having said that, that particular page did NOT turn up in a web page history search on the browser. So that does indeed suggest security.
Ah, so the key here is that you definitely need to close the browser. Right? Because if you don’t, then the pages are easily accessed once again.
Erm…right?[/quote]
Yes. You have to terminate the entire application (browser), not just close a tab or a window. You can use the Windows task manager (Ctrl-Alt-Del) to check if there’s still a browser window open. If you restart the browser and go to your “secret page” again, it should definitely ask for authentication (if not, you didn’t close all browser windows).
But the whole point of doing this is if our credit cards and everything get stolen. If that happened, the laptop with our private info would get stolen at the same time. I’m envisioning a worst case scenario where everything’s gone, after which we walk in to an internet cafe, access a private HTML page with vital info on it, print it out, and proceed to make a bunch of phone calls cancelling cards, etc.[/quote]
Oh, these are your credit card numbers? I assumed they were customers’ or such. Okay. In that case you don’t have the same responsibility to be ludicrously paranoid. Just send them to yourself in an email
Warning, this is a poor man’s low-tech solution, but, hey, it’s easy:
Assuming you have a Web interface to upload files to your Web space, why not just put your documents into a password-protected ZIP file named something like scanned_student_grammar_quizs_2003.zip?
Or just email the ZIP file to yourself.
And if you’re worried about key loggers, could you not just use a virtual keyboard to enter the password?
Not very elegant or tech savvy, but it still would probably dissuade 99.9% of people from bothering.
Breaking into a password-protected zip file takes about ten minutes, with software easily available on the web. I know because I’ve had to do it a few times with zips I locked up myself and then forgot the password to
