I see that Dropshare supports a proxy-based access control mechanism, I would ideally like to see this capability built into the UI (enable access control globally).
If for some reason the above is not feasible, I would like to propose an alternate basic password protection scheme for files uploaded to services that support landing pages (e.g. S3).
I developed a basic proof-of-concept at https://jsfiddle.net/LuisSala/oenbxgxk/
I think this approach is essentially equivalent in terms of security to the proxy-based mechanism (minus download tracking).
There are some nuances, such as:
In the case of S3, the name of the S3 folder containing the direct
download must not be predictable if someone examples the landing
page URL. I would suggest appending an additional random GUID.
Assuming I'm using completely randomized filenames, this means that
for landing page the form:
https://mys3bucket.s3.amazonaws.com/MyrAnDoMFIleNAme, the direct
download "URL" could be of the form
Image previews/thumbnails must be disabled. Easy to do by ensuring
__PREVIEW__ variable is left blank when passwords are enabled.
The user should be prompted for a password when the file is dragged
onto the menu-bar, not have to visit a separate website. If the
password is blank, then URL encryption may be bypassed. This changes
the flow by adding an intermediate step, but I think it worthwhile.
Ideally, the user should be able to retrieve the password for each
item through the drop-down menu (and through synced Macs).