Aurigma File Downloader 7.0.9
Security Approach in File Downloader
This topic gives information about the security approach used during File Downloader development.
During the development of File Downloader Aurigma took care of avoiding any potential security problems. As File Downloader is a software which is installed from the Web, neglect of these problems might lead to security holes. For this reason any feature that could potentially cause a security risk was rejected.
If any security holes in the File Downloader are found, all customers are immediately informed about possible issues and the problem is fixed as soon as possible.
Those customers, who would like to make sure themselves that the code is safe, can purchase the File Downloader source code. In addition to security audit these customers can carry out customization. Please contact Aurigma sales department if you are interested.
As security is one of our main concerns, a couple of limitations take place.
The first limitation relates to the domain name of the website where File Downloader is used. It can be stated as follows:
- Domain name of the server from which the files are downloaded (item host name) must be registered with full license key.
- Domain name of the server which hosts the Web page with File Downloader must be equal to the item host name or reside within the same organization-level domain as it.
- Domain name of the server from which the file list is requested must be equal to the item host name.
See the detailed information on how to register domain name of the server where File Downloader is used in the Evaluating and Registering File Downloader topic.
This is done to prevent potential abusers from sending malicious files to the user. It implies that if you registered a server where files are situated, you are responsible for it and guarantee the safety of the content you provide your users with. If a malicious user tries to falsify a file list and force your users to download files from a false server, File Downloader prevents this attempt, because this server is not registered.
Another limitation is that the server name from which files are being downloaded is always visible in the download confirmation dialog. This is a kind of protection from scams (so-called phishing), as the owner of the Web site with File Downloader cannot confuse the users and hide the real server name.
Remember though that these measures do not guarantee cast-iron security, but make it much more difficult to carry out abuses in practice.
Some people are worried about low safety of the ActiveX technology against high safety of Java applets. Sometimes they ask whether the Java part of File Downloader is more secure than the ActiveX one.
The answer is NO. To be able to work with files on a local machine, the Java applet has to go out from Java sandbox (in other words, make the security level the same as in ActiveX). This way using Java applets for downloading would not bring any security benefits.