HTTPS file sharing - Does anyone else not think it's secure enough?

Question

I've been working internally to move to HTTPS file sharing (vs AFP) for software deployment. We've had discussions with JAMF in the past around security for package deployment, and it looks like there's not been much change from the JAMF side (as confirmed by support). From a security perspective, our InfoSec aligns with the financial industries. Is there anyone out there in heavily regulated/secured industries that has enabled HTTPS file sharing? the only option according to JAMF is basic auth for security and that's a big no-no around here.

From our POV, the flags are:

Basic Auth versus more complex authentication (JAMF Support says that machine cert auth used to be an option but is now deprecated)
Exposure of packages to a "guessable" url (https://myjss.jssmy.com:8443/Pakage/FreeSoftware)

TIA

From our POV, the flags are:

Basic Auth versus more complex authentication (JAMF Support says that machine cert auth used to be an option but is now deprecated)
Exposure of packages to a "guessable" url (https://myjss.jssmy.com:8443/Pakage/FreeSoftware)

TIA

Asnyder · Answer

I have directory browsing turned off with password authentication turned on for my server. So if someone visits https://myjss.myjss.com they get a login prompt. Because it is https the credentials are encrypted vs plain text. For me, this is enough. At the end of the day your url isn't "guessable" at all. It's very public. Do a DNS lookup on yourself and you'll see all your domains/subdomains along with open ports.

https://dnsdumpster.com/

At the end of the day, you can never 100% stop a breach. You can only deter someone enough to stop them from trying.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded