Tips and Tricks HQ Support

Support site for Tips and Tricks HQ premium products

  • Home
  • Contact Us
  • Documentation
  • Forum Home
    • Forum
    • Forum Search
    • Forum Login
    • Forum Registration

SECURITY with S3 on Digital Downloads

by

Tips and Tricks HQ Support Portal › Forums › WP eStore Forum › WP eStore Troubleshooting › SECURITY with S3 on Digital Downloads

Tagged: amazon s3, S3, S3 Security

  • This topic has 4 replies, 2 voices, and was last updated 12 years, 11 months ago by thehigheredcio.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • June 3, 2012 at 5:08 pm #6501
    thehigheredcio
    Member

    I have one SECURITY concern with the S3 integration. Maybe I missed a config in the instructions or videos?

    In migrating to AWS S3 for my digital downloads storage I noticed when the digital download filetype is any one of the ones a browser can open directly rather than having to download it like a pdf, it exposes the AWS Security Credentials (AccessKeyID and Signature) in the URL of the opened file instead of masking them with the encrypted URL link or some other AWS URL.

    Is this an S3 config item, eStore config, or just the way it is? Is there a fix or workaround?

    I am going to have to revert back until this issue is resolved.

    June 3, 2012 at 5:48 pm #45830
    wzp
    Moderator

    Please see this thread, for an explanation, starting at the second post…

    https://support.tipsandtricks-hq.com/forums/topic/force-a-file-to-download-instead-of-showing-up-in-the-browser

    June 3, 2012 at 6:49 pm #45831
    thehigheredcio
    Member

    Thanks for that T&T Link (BTW maybe it could have an S3 Tag added for searchability).

    I don’t know what is happening behind the scenes on the Get Request and I know very little about S3 but it appears eStore is using a Signed URL method because it allows for it to be Time Limited. The trade off though it sacrifices securityeven if the credentials are ‘public’ which is contrary to S3 security best practices. It likely also means they are passing in clear text from eStore to AWS as part of the URI Get Request.

    If you do go back in to tweak the S3 Integration to strip out the credentials in the URL it would be nice if you could add support for using a Virtual Host name from a field in the S3 Config of eStore (like My Domain) or the Bucket Name.

    Thanks again for the help – on Sunday no less!

    June 3, 2012 at 7:32 pm #45832
    wzp
    Moderator

    As a 30 year information security professional, I assure you that use of AWS signed/expiring URL is secure. The signature is a one way hash, that requires knowledge of your AWS Secret Key to recreate. The only practical way for the signature to be forged is to hack your server and get **both** the public **AND** secret AWS key values from your WordPress database.

    Per the documentation, the S3 integration already does support CNAME DNS aliases.

    June 4, 2012 at 2:57 pm #45833
    thehigheredcio
    Member

    WZP – Everything is working great since the changes. Fast downloads, no empty files or errors and I am very comfortable with the security workaround.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.
Log In

Forum Related

  • Forum Home
  • Forum Search
  • Forum Registration
  • Forum Login

Support Related Forms

  • Contact Us
  • Customer Support
  • Request a Plugin Update
  • Request Fresh Download Links

Useful Links

  • Plugin Upgrade Instructions
  • WP eStore Documentation
  • WP eMember Documentation
  • WP Affiliate Platform Documentation
  • Tips and Tricks HQ Home Page
  • Our Projects

Quick Setup Video Tutorials

  • WP eStore Video Tutorial
  • WP eMember Video Tutorial
  • WP Affiliate Platform Video Tutorial
  • Lightbox Ultimate Video Tutorial

Our Other Plugins

  • WP Express Checkout
  • Stripe Payments Plugin
  • Simple Shopping Cart Plugin
  • Simple Download Monitor

Copyright © 2025 | Tips and Tricks HQ