back to article This is the Send, encrypted end-to-end, this is the Send, my Mozillan friend

Mozilla's Firefox Send, a free encrypted file sharing service, graduated from test to official release on Tuesday after a year and half of refinement. Available on the web at send.firefox.com and soon through an Android app, Send first appeared in August 2017 as a way to encrypt local files and store them on Mozilla's servers …

  1. John Smith 19 Gold badge
    Unhappy

    The devil with all this stuff is in the details

    So you're file is encrypted and (it looks like) the metadata is as well.

    Whose got the keys?

    Whose got copies of the meta data?

    Personally I'm suspicious as f**k of any "service" that requires my registration anywhere when what the bulk of the task is running on my hardware (the clue is in the name "end-to-end").

    1. overunder

      Re: The devil with all this stuff is in the details

      Im not sure of your suspicion on who could be eavesdropping, but if you can host part of or all of the software on a local machine (which is where this stands out to me), then I appreciate this as it appears to be the first popular push of using "cloud" like features at home, which is long overdue for at least 1 aspect of privacy. But, *if* the full application and not just part of it be hosted at home, then doesn't this turn Mozzila into something like a middleman similar to torrent sites? Either way though, I see it as a step in the right direction

    2. Khaptain Silver badge

      Re: The devil with all this stuff is in the details

      @John

      Registration is not required for files less than 1Gb. I tried the service as a test this morning and it seems to work well. I did not provide any personal details, or any others details at all. Completely anon outside of the usual Source IP etc.

      1. Anonymous Coward
        Anonymous Coward

        Re: The devil with all this stuff is in the details

        IF it's "outside of the usual Source IP etc." (particularly with the "etc" bit) it's neither "completely anon", nor any other variant of "anon".

        btw, is this type of not-quite-anon anon of ANY practical use? (notwithstanding the actual service and encryption).

        1. d-m

          Re: The devil with all this stuff is in the details

          Good luck using the internet without an IP...

        2. noboard

          Re: The devil with all this stuff is in the details

          "btw, is this type of not-quite-anon anon of ANY practical use? (notwithstanding the actual service and encryption)."

          If you don't think it's of any use, why are you posting anonymously?

        3. Jack of Shadows Silver badge

          Re: The devil with all this stuff is in the details

          Good luck getting anything representing my "real" IP address here, that's covered by the VPN, sometimes more than one layer deep. MAC is changed. Other protections in place, too. Not needed, just playing games with meta-data. It almost certainly becomes a distinctive signature in its own right but, given that I was doing all this even while I was wearing the uniform, I'd lay money they "know" who I am. I used to fix their crypto equipment, along with a "higher security clearance," when they couldn't. Just a game. Fun though!

          For normal use with a VPN. that should be enough to be ignored by the government. Pedo-terrorists have other worries requiring a higher level of caution. Send.Firefox isn't going to help them at all.

        4. Eddy Ito Silver badge
          Paris Hilton

          Re: The devil with all this stuff is in the details

          Sorry, I'm as confused as Paris. I didn't see anywhere where this claimed anonymity in any way. I see where it says private and encrypted but nothing about it being anonymous. Besides, anyone who would knowingly download some secret payload from an anonymous source is some special sort of idiot that will likely just post it on facebook after downloading it.

    3. A Non e-mouse Silver badge

      Re: The devil with all this stuff is in the details

      Whose got the keys?

      RTFA: Just the people with the download URL. As the client software runs locally in your browser, Mozilla can't see it by default.

    4. el kabong

      The article says the key is in the hash part of the URL

      The server cannot read the hash part of the URL as that part is local, only javascript code running in the browser can read it, the key never leaves the browser, it stays local.

      The only way mozilla can get the key is having the browser send it to their servers but that will not happen because the javascript code does not do that and it is open to inspection meaning you can inspect it and check that it is behaving properly, you can check that it is not doing anything nasty. Besides, you can host it yourself if you want.

      Finally, the encryption algo uses a symmetrical key so there is only one.

      1. Anonymous Coward
        Anonymous Coward

        Re: The article says the key is in the hash part of the URL

        Not suspicious of Mozilla but you'd have to be super careful about extensions which can often read and manipulate the content on a page (therefore see the URL) and browsers and extensions can often read the address bar so multi-use of the link would be risky.

        Personally I think it seems like a good service, but I would only use it for very short term, one use links with a browser that has extensions all disabled.

      2. DropBear Silver badge

        Re: The article says the key is in the hash part of the URL

        Right up until a confused party pastes the received "URL" as-is straight into a browser instead of using the appropriate microsite / app / text box / whatever it is you are supposed to actually do with the link (bonus points if they paste it straight into the Google search box instead of the address bar)...?

        1. whitepines Silver badge
          Facepalm

          Re: The article says the key is in the hash part of the URL

          bonus points if they paste it straight into the Google search box instead of the address bar

          On some systems (including Linux-y ones) those are one and the same. Makes me cringe every single time I watch someone typo part of the URL and it goes straight to the Google slurp machine for permanent, completely legal recording and tracking.

          Chrome for one, though that's snooping through your entire hard disk in the name of "safety" and "security" lately. I wonder what happens when it starts deleting people's "illegal pirated files" (that happen to be neither illegal nor pirated, e.g. original content or open media) and what the legal ramifications would be (probably none, see EULA?)

        2. zuckzuckgo

          Re: The article says the key is in the hash part of the URL

          You can limit the service to only one download for the specific transfer. That won't stop your browser from snooping the link but it becomes useless after one use. If someone manages to use the download link before the intended recipient at least you will know you have been compromised in some way. Just don't include all your secrets in one transfer.

        3. Jamie Jones Silver badge

          Re: The article says the key is in the hash part of the URL

          "Right up until a confused party pastes the received "URL" as-is straight into a browser instead of using the appropriate microsite "

          You're right about it going into a search box, but as a url..it *is* a url. It's designed to loaded as such.

          The key is contained after the "#" in the URL - that part of the URL (anchor) isn't sent in the server request, but the javascript that is downloaded can read it locally. (Though I can't see what would stop a rogue site modifying the js to upload back to the server the anchor content)

    5. tfb Silver badge

      Re: The devil with all this stuff is in the details

      It does not require you to sign in. You get additional storage if you do, but that's it.

  2. Terje

    So what is the actual upside of this to any other message, apart from setting maximum download and expiration time? You still have to get the download URL to the recipient (significantly more annoying to do over for example the phone then just a krypto key alone (ok phones are not secure either I know) and if you have a decent way to send a secure message with the URL then you should be able to do this anyway) be it sending the entire file or just the crypto key.

    1. Richard 12 Silver badge

      Large files

      This way you only need to securely send the recipient the few hundred bytes making up a URL.

      That's far easier to do than to try to securely send the recipient a 1GB file.

      Whether Mozilla can legally afford to keep running the service is another question, given the collective insanity of various governments.

    2. Khaptain Silver badge

      @Terje

      As I see it , it's free, simple to use and does not require third party installation on the local machine.

      And as Richard12 said, the problems of large attachments are resolved.

      It is however a DLP nightmare....

      1. Mr Humbug

        I am confused

        > It is however a DLP nightmare....

        I suppose it depends a bit on how your users need to use information to do their jobs, but I don't see how this is any worse (for DLP) than the other file sharing services already available. You still have to control where people can upload stuff to and it doesn't really matter (when you look at the insider threat risk) whether the file is locally encrypted before it's uploaded if users have mobile devices that can connect from outside your perimeter. And if you can monitor and block access to sites such as files.fm then you can do the same with this.

        1. Jack of Shadows Silver badge

          Re: I am confused

          Not entirely, you can't. Setting this up on some VPS elsewhere otherwise unknown except by IP address can't be blocked unless you use a whitelist on your corporate firewall. The easy hosting wherever is where it gets tricky from a security aspect. Also, you'd have to block Mozilla's host as well to cover that hole.

          I still like it.

          1. Mr Humbug

            I see what you mean, but if you've got maliciaous insiders who can set this up on their own VPS then you've already got malicious insiders who can set up a VPS that accepts file uploads over https. ANd if that's a significant threat for you then you should already be locking down the end points and whitelisting permitted upload sites

            1. Jack of Shadows Silver badge

              ANd if that's a significant threat for you then you should already be locking down the end points and whitelisting permitted upload sites

              That's the way I run things. Then again, I run a reasonable set of systems. Need an exception? Ask. Your quite likely to get it with a quick phone call or IM. And everyone knows not only that but I'm ready to down tools and say "goodbye!" The permanent kind. You have to have some flexibility in your approach to systems (note, plural!) security to make the systems run effectively, just not to the point of having a boiled noodle for a spine.

    3. tfb Silver badge
      Big Brother

      It makes it significantly harder to track what's happening. For instance if I'm snooping metadata on two people communicating using some end-to-end encrypted system (say mail with pgp), then if I see fucking enormous messages I know something interesting is going on. If I see only small messages I may not: I also have to notice the corresponding uploads & downloads. It doesn't make it impossble for snoopers, but it makes it harder.

    4. revenant Bronze badge

      re: "get the download URL to the recipient"

      Sharing the URL via Signal is simple and works quite well. Quite useful for sending files larger than Signal's size limit.

  3. Anonymous Coward
    Anonymous Coward

    free Firefox Account

    it's GREAT to see such generosity from a Corporation, great. O Come, All Ye Faithful, it's free, free, FREEEEEEEE!!!!*

    * if you're looking for relevant information on the FREE bit, see here**

    ** Still here?! OK, look HERE***

    ***Why, we said FREE, innit! As in "FREE means FREE!!!" ****

    1. Jamie Jones Silver badge
      Happy

      Re: free Firefox Account

      Bob, the cloak of anonymity you choose to wear isn't as effective as you think!

  4. joeW

    "gravity of Google Chrome pulls people away from Firefox"

    There's a certain amount of Pushing force in that equation too unfortunately.

    1. Andy Non

      Re: "gravity of Google Chrome pulls people away from Firefox"

      There is definitely some pushing. I've used Firefox for many years now for better or worse, but lately my patience has been pushed sorely to the limit trying to stop media autoplaying. The settings to disable it used to be in the About:Config area, then that stopped working, requiring third party add-ons that were hit and miss to say the least. Then Mozilla eventually put a feature in the options GUI to stop autoplay but it kept un-checking itself. Then the setting disappeared altogether. Then another iteration of Firefox they had introduced settings for it in the options GUI that actually worked, but now in the latest version it appears to have disappeared completely from the GUI again. Mozilla's help/support information lags so far behind as to be useless. Mozilla are going out of their way to push people away from using Firefox.

  5. Anonymous Coward
    Anonymous Coward

    I've had this for a while..

    The guys of Softronics in Switzerland added a while back a "public link" facility to their Mydrive service. It has a max access quota of 50 times after which you have to reset the URL but it works well.

    Basically you get a mile long URL as the access key. I mapped, for instance, my unclassified CV to a ~/cv URL on one of my websites which then pulls it straight from secure storage via that URL and that works well - I'll just reset it once it runs out.

    It filled the hole in my secure storage needs: I can set someone up as a user for a subdirectory, but that's always a bit of a pain. A limited access URL means I can set up a one-off (set share count to "1"), and I can check which IP address grabbed it from the document history. In that context one warning: beware of services doing a URL preview (Microsoft's Skype started this first as camouflage that it was accessing the URLs you were sending in your messages) as it tends to count as one access..

  6. Aladdin Sane Silver badge
    Pint

    That headline

    Bravo

    1. chivo243 Silver badge
      Thumb Up

      Re: That headline

      Nothing like a Doors reference to make me smile... Especially this one

      1. Aladdin Sane Silver badge

        Re: That headline

        I'll admit, I was tempted to drop an Apocalypse Now reference into the comments.

  7. Adam Inistrator

    Nextcloud

    You missed out Nextcloud which offers end to end encryption and 100% open source for server, 3 desktop and 2 mobile clients. An ideal solution. It is also a broad platform offering much more than simple file storage.

    1. Charles 9 Silver badge

      Re: Nextcloud

      But is it turnkey easy? Otherwise, Joe Stupid won't get it. That's been putting me off Owncloud/Nextcloud for a while now.

  8. Anonymous Coward
    Anonymous Coward

    Q: Why is my browser not supported? / Why does Firefox Send require JavaScript?

    Firefox Send uses JavaScript to:

    •...•Encrypt and decrypt files locally on the client instead of the server.

    •...

    •...

    •Collect data to help us improve Send in accordance with our Terms & Privacy.

    1. Mark 85 Silver badge

      Re: Q: Why is my browser not supported? / Why does Firefox Send require JavaScript?

      Add a bit here since I saw no reference.... "Delete the data after it's been accessed X number of times?". If not, then why would they keep it? This applies to both the unencrypted file upload as well as the encrypted file. Given the paranoia about NSA, et al, I think this should be a valid concern.

      1. Anonymous Coward
        Anonymous Coward

        Re: Q: Why is my browser not supported? / Why does Firefox Send require JavaScript?

        Didn't you get the part where the encryption takes place on-client, meaning by the time it's being uploaded it's already encrypted?

  9. mark l 2 Silver badge

    Maybe it is only myself that thinks this, but I would rather the Mozilla developers spend their time fixing bugs and developing new features for Firefox, Thunderbird etc than trying to compete in the already crowded file sharing space. This new service sound to be just like Mega.nz which has been knocking around for a while now and there are other similar file sharing website which offer you the ability to automatically delete files after a number of downloads.

    If you are worried about the file host being able to view the file you upload then encrypt them yourself before uploading.

    1. JohnFen Silver badge

      "I would rather the Mozilla developers spend their time fixing bugs and developing new features for Firefox, Thunderbird etc"

      Thunderbird stopped being developed or maintained by Mozilla quite a while ago. It has its own independent team now.

  10. Pen-y-gors Silver badge

    Nice and simple

    And it seems to work on other browsers too. Just downloaded a test via Chrome.

    Only one bug - the 'number of times' pull down on Welsh Firefox is a bit scrambled!

    1. Fred Flintstone Gold badge
      Trollface

      Re: Nice and simple

      Only one bug - the 'number of times' pull down on Welsh Firefox is a bit scrambled!

      Maybe it's in Welsh ?

      :)

  11. Anonymous Coward
    Anonymous Coward

    Maybe i'm missing something

    This is running atop Google cloud?

    So how is it funded? Given i suspect Google are not being benevolent for a competing browser and the loss of data generation (money) it would entail, not to mention the volume of anticipated data traffic, processing etc on their platform.

    maybe thinking too deep?

  12. E 2

    Send is very secure?

    When I went to send.firefox.com I got an essentially blank page: FF logo, Moz logo, footer links, main body of the page blank.

    If I can't Send a file then nobody can pilfer it!

    1. Jack of Shadows Silver badge

      Re: Send is very secure?

      Worked in current Opera (x64), with multiple layers of blocking, here. Which browser were you using?

  13. Cincinnataroo

    Thought Experiment.

    You provide the keys to all these programs.

    How does that compare with them providing keys?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019