Question Sharing files with Drive and not getting in trouble

11
3
NAS
DS218+
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Hi everybody! I've got a Synology Drive question. Synology Drive doesn't appear to completely obfuscate filenames ... so if you share an MP3 file or something like that, the filename might be visible in the link. So when you first make the share link directly to a file it looks like this:
https://foobar.synology.me:5556/d/f/539914714332659263

But when you go to open the file, you get this URL:
https://foobar.synology.me:5556/d/f...9262"]&force_download=false&_dc=1584822541078

So, I wonder - if I shared a file like this (using https), would I be at any risk of having that filename exposed to my ISP? I want to be able to share certain files with friends and even access my MP3s and movies while I'm away from home. If I was at a business or at a friend's house, I would hate for the business or my friend's ISP to get a copyright notice because I accessed copyrighted content from their network.
 
Well they wouldn't be able to access that file to verify if its even a copywrited file...

Yeah, I don't know what an ISP's methods would be for flagging a file - is it just a suspicious filename? Filename plus size of the file?

Are filenames even visible to the ISP over https? What's the sequence of events, anyway? The DNS server processes the domain name lookup unencrypted ... and then once an https connection is established, is the request for a specific file done in an encrypted way?
 
So if you wanna access your content from multiple locations why not go with a media server option and use an http client to connect to it and stream?

I currently use Plex just fine - with encryption enabled. I feel safe doing that from anywhere.

However, there are several problems with this: sometimes I would rather just download the file rather than stream it from my DS218+ that doesn't do a very good job transcoding everything.

Also, I work on a variety of editing projects with other collaborators - sometimes I need to just send them different files - like MP3 files or other files. I want to make sure that when I'm doing this that I'm not getting anyone into any trouble.
 
If the URL's GET request portion (the end bit of the URL that's the instruction to retrieve content) doesn't expose the filename then the HTTPS payload will encrypt the data. To be certain that you're not having your HTTPS inspected in transit then you should not use a self-certified certificate as the endpoints cannot be 100% certain that there is not a proxy (man-in-the-middle) that is: handling the request; getting the end server's reply; decrypting it for inspection; and then re-encrypting and sending on.

If the MP3 is not copyright protected, or your copyright material, then it doesn't matter if the shared media is can be identified (from a litigation point of view). If you're sharing copyright material then you are probably breaking the terms that allowed you to get the media ... it's more a moral question until the person you share it with ...........

However, it's an interesting question of what is exposed when sharing. "Is the filename exposed?" is similar to those cleartext metadata vulnerabilities and here's the answer, even with HTTPS:

File Station uses gofile to generate the short link but eventually when downloading the file this gets converted to direct to my NAS and then the filename gets appended to the end of the URL: after downloading the file I view Safari's download list and ctrl-click the file to Copy Address ... this does show the final actual full URL with filename included.​
Likewise, I tested this with Drive with both the File Link and Advanced Protection Link ... after doing Copy Address on the downloaded file from Safari's list I see that both these methods embed the filename part way through the URL.​

It's clear that shared files should have names that you are happy to be visible to any and all on the Internet. Otherwise, change to benign names before sharing or zip a folder that has a benign name. Alternatively use a shared folder in public cloud that hosts an encrypted vault, such as using Cryptomator.

Or, within Audio Station you can permit, by user, the ability to publicly share tracks for streaming in a browser. You can also files from within Audio Station. Both these available from the Action button.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

At first it might, but those are too separate platforms, Drive being completely optional. Also, you might...
Replies
1
Views
462
  • Question
Cloud Station was replaced by Synology Drive. CloudSync is still very much a supported package in DSM 7...
Replies
3
Views
522
Using Drive Client 3.4.0 on Win 10. By default, it seems like the client is copying my entire home profile...
Replies
0
Views
1,038
  • Question
That still appears like it didn’t work. The log says all versions were deleted and the console shows only...
Replies
8
Views
849
Oh! Well, that's that, then. Thanks for your help. I've cribbed together a solution for now. Will check...
Replies
7
Views
234
  • Question
Did you read further down in that documentation this section, and does it fit with what your seeing & your...
Replies
1
Views
493
You can allow your users to use the forgot password option. They can do this from the dsm login screen. If...
Replies
8
Views
670

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top