Sharing files politely and securely

In my last post, I recommended Filezilla FTP server on top of Hamachi as a means of making your files accessible to your friends.

Filezilla is, indeed, great. But if your friends are mere mortals and not ubergeeks, they will resist installing Hamachi and Filezilla. They will frown at you when you call them computer lightweights.

There is a much better (and free) solution for working with them: HFS and Stunnel.

The great thing about this solution is that it doesn't require your friends to install any software. It makes your files accessible to them by means of their web browser. This means it's easy to share your files with your Mac friends too.

Before we go any further, you might ask: what's wrong with using email to share files?

1. Email isn't normally encrypted.
2. Email requires an e-mailbox -- a server which accepts incoming email. You might not want your files to sit on a third party's server, and you might not want to clog up your friend's mailbox with them.

With HFS and stunnel, you get a direct, secure connection between machines, and it's also trivial for your friends to use. They don't need to learn any new software (you do, though).

There are two disadvantages to this method:

1. Your machine must be on for them to get your files.
2. If your upstream bandwidth is limited, then it will take them longer than they'd normally expect to download the files from you.

The third-party server solves both of these problems at the expense of security, assuming it doesn't have space limitations for file storage. But no servers don't have space limitations. Try to share a 100MB file using a third-party server. You'll see the problem. With HFS and Stunnel, the server is your machine so you don't have space restrictions.

You get HFS here:

http://www.rejetto.com/hfs/

You get stunnel here:

http://www.stunnel.org/

Stunnel is the harder of these programs to set up, so I'll describe it first.

Stunnel allows servers (HFS is a server) to speak SSL (secure socket layer) even if they weren't written to do so.

All web browsers (clients) can speak SSL. SSL makes communications secure and private. Whenever you buy anything over the internet using a credit card, you are almost certainly communicating over SSL. The little padlock icon in your browser means "SSL is enabled on this connection".

Stunnel is an intermediary between the internet and any server you might want to run. Stunnel accepts encrypted SSL connection requests from the internet, and for each of these it locally makes an unencrypted connection request of a server on your machine. Once it connects to your server, your server has no idea that its incoming and outgoing traffic is actually being sent over SSL by Stunnel. Your server is just speaking to Stunnel, and Stunnel speaks over SSL to any client on the internet. Stunnel does the encrypting and the decrypting automatically.

First, install Stunnel by running its installer application. Take note of where Stunnel gets installed to (probably c:\program files\stunnel).

To make stunnel work, you need to do two things. You need to edit stunnel.conf (which is in the stunnel install folder), and you need to create your own, personal, individual version of stunnel.pem (more on this later).

Here's what my stunnel.conf looks like:

cert = stunnel.pem
;key = stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Service-level configuration

[https]
accept = 443
connect = 49999
TIMEOUTclose = 0

That's it! Lines beginning with a semicolon are comments (they don't matter to Stunnel). Most of these lines are straight from the default version of stunnel.conf that comes with stunnel. The most important three lines are:

[https]
accept = 443
connect = 49999

The numbers are port numbers. Port numbers are sort of like an address. They are where on your computer a server might be found. The "accept" number is the port on which stunnel will be found by clients trying to connect to you from the internet. The "connect" number is where stunnel will look locally for HFS (which will serve your files).

If you are running a router or a software firewall (and you should), you need to configure it to forward port 443, otherwise Stunnel will be invisible from the internet. I recommend port 443, since that is the standard port number for SSL over http, or https. Port 443 is implicit whenever a URL starts with "https://", so your friends will never need to type "443". To learn about port forwarding see here: http://en.wikipedia.org/wiki/Port_forwarding

Don't, however, forward port 49999 (this is just an example port number, you can use whatever port you want to). The idea is to make it possible for internet clients to connect only through Stunnel, on port 443.

Now, you need a personalized stunnel.pem file. Do not use the version of stunnel.pem that comes with Stunnel. Getting a stunnel.pem file is a bit of a pain. You can use OpenSSL to create one, but I don't know how.

But I do know how to use Filezilla Server to create a stunnel.pem for you. In the Filezilla Server UI menu, select Edit--Settings--SSL/TLS Settings--Generate New Certificate. Make sure the "common name" is the name your computer has from the internet, like www.foodbars.org, or baloney.dyndns.org. Filezilla server will create a .crt file. Just rename it to stunnel.pem, and copy it into Stunnel's install directory.

Once you have done this, then make sure that stunnel.exe runs when your machine boots up. Just create an icon in your startup folder or something like that. Stunnel.exe will read stunnel.conf, and will consequently read your stunnel.pem file, and all will be well.

Now it's time to install HFS. Download HFS.exe from http://www.rejetto.com/hfs/. Guess what? You don't need to install HFS. You just run it. I recommend just creating a shortcut for it in your startup folder so it starts at boot time.

Once you run it, turn off its server by pressing the on/off button in the upper left corner, then edit the port number on the same line, to make it match the "connect" port in Stunnel (e.g. 49999). Then press the on/off button again to turn the server on.

If you want to share a file or folder with the world, just drag it into HFS's "Virtual File System" pane. It really is that easy. If you don't want to share it with the whole world, you can put a username and password on the file, or (in HFS's "advanced mode") you can create multiple accounts with passwords, each of which has access only to certain files. Just right-click on something in the Virtual File System pane.

HFS has good documentation, so I won't duplicate it here. But the thing to remember is that HFS has no knowledge that it is running behind Stunnel. So HFS's Self Test function won't work, since it will be looking for itself (from the internet) on port 49999 rather than port 443. If you want the self test to work, you may wish to temporarily forward port 49999 through your firewall. But don't leave it this way as it will allow unencrypted connections to HFS, and lurkers can capture passwords and content sent over unencrypted connections.

Now that you have HFS and Stunnel working, you can tell your friends to use your server. You give them a URL like https://jellybean.dyndns.org/ . where jellybean.dyndns.org is the common name of your computer.

When they try to get to your machine in their browser, though, they will probably encounter something like this:

You must tell them to "continue to this website" even though it is "not recommended". The reason for this is that web browsers (clients) generally only like to speak SSL with established, trustworthy servers. Their browser doesn't want to trust your server, because it doesn't know who you are. But your friends do know who you are, and they can let their browser know. Here's how:

Once they go to your site (served up by HFS), their browser will likely continue to complain at them, with indications like this (in IE7):

In Internet Explorer 7, they can click on this button, then select "View Certificates", then "Details", then "Thumbprint". And they should see the same thumbprint that you see when you look at your server with this URL: https://localhost/

If the thumbprints check out, then they can again click on the above button, select "View Certificates", then "Install Certificate". After they do so, they'll no longer be bothered by certificate errors or other such problems.

While HFS over Stunnel is a minor hassle, it's a great solution for sharing files privately with your non-geeky friends. HFS itself is extremely powerful and full featured. Check it out.