Revisiting secure Dropbox sharing
A little over a year ago, I wrote a post with some ideas for sharing files more securely using Dropbox, and I’m glad I did because it lead to a much better and more useful post on the same topic by Merlin.
The approach in Merlin’s post has worked well for me, but recently I made some changes.
Less public
Even with the “handful of paranoid additions involving chaos and automation” in Merlin’s post, I was never completely comfortable using the Public folder.
Links to files in the Public folder look like this:
http://dl.dropbox.com/u/123456/file.txt
Each Dropbox user has their own unique numeric Public folder ID (like 123456). And so the path to my Public folder was necessarily advertised each and every time I shared it.
I have no idea if it would actually be possible to “crawl” a Dropbox Public folder, but it seems conceivable. At any rate, the image of an ill-intentioned teenager sitting in an Eastern European basement writing a shell script to ping known Public folders 24 hours a day never sat well with me.
Now that Dropbox lets me create a link to any file in any folder, I’ve abandoned the default Public folder entirely. I now use a custom public folder, which resides in a Dropbox folder containing all of my other shared folders.
Dropbox’s new link-to-any-file-anywhere option just feels more secure (to me). The new syntax looks like this:
https://www.dropbox.com/s/zahx2ghztxt5mtn/file.txt
That zahx2ghztxt5mtn bit is random and is different for each and every link you create. There is nothing specific to your account in the URL.
Better Hazel rules
I had been using Hazel to automatically delete files from my Public folder X days after I put them there, where X was constantly changing because I never could settle on the right amount of time.
It was always frustrating when Hazel would (based on my instructions) remove files before the intended recipient had a chance to download them—especially for non-sensitive files like photos or videos that I share with friends and family.
I'm totally fine with a video of my 13-month-old son slam-dunking a toy basketball goal staying in my public folder for months, but I might want a W-9 form to be publicly available for just a few days.
I finally got smart and thought to vary the lifespan of files by having multiple Hazel rules based on different durations. I now add a time indicator to the end of file names. Some examples:
- _1d for 1 day
- _3d for 3 days
- _1w for 1 week
- _6m for 6 months
If, for example, Hazel sees a file called file_3d.txt, and it’s more than 3 days old, Hazel deletes it.
This allows me to quickly and easily set the duration of a file’s availability after I’ve copied it to my custom public folder.
I still wouldn’t call this system perfect, but it’s better. Definitely better than email.