Firefox Send Is an Easy Way to Share Large Files Securely
Credit to Author: Brian Barrett| Date: Tue, 12 Mar 2019 22:33:05 +0000
You’ve got no shortage of ways to send encrypted messages, and at least as many cloud services for sending large files. But the Venn diagram for the two remains surprisingly, inconveniently small. That’s the beauty of Mozilla’s Firefox Send, a free, intuitive, web-based service that lets you share large encrypted files, no strings attached.
Send began in 2017 as an experiment, part of Firefox’s since-discontinued Test Pilot program. Since then, it has languished in beta, gaining a few features along the way, but mostly in the shadows. Tuesday marks its public launch.
What sets Send apart is its ease of use. It works in any browser; just go to send.firefox.com. Upload or drag and drop files, and Send will generate a link that you can set to expire after a certain number of downloads—up to 100—or a certain amount of time, ranging from five minutes to seven days. You can send up to 1 gigabyte, or up to 2.5GB if you sign in with a Firefox account. For comparison sake, SMS generally maxes out at 600 kilobytes. The biggest Gmail attachment you can send is 25 megabytes. Firefox Send offers orders of magnitude more room, enough to send a high-definition episode of Game of Thrones.
There are already ways to share large files, of course, whether it’s with a Google Drive link or through a service like Hightail. But doing so securely—with end-to-end encryption, without stashing files in the cloud—is another story.
"It looks elegant and a nice way to do things."
Matthew Green, Johns Hopkins University
“I recently moved to a place that involves me acquiring a bunch of visas; with my wife I’ve had to fill out a ton of paperwork and provide things like passports to various agencies,” says Mozilla product manager John Gruen. “There’s something weird about the idea of keeping all this stuff in a persistent cloud storage solution to me. I just don’t really want to have to remember to clean up my tracks. Even if I delete a file from some cloud storage somewhere, I don’t even know if it’s actually gone for good, or just gone from the user interface.”
Because Firefox Send is end-to-end encrypted, not even Mozilla can see the contents of what you’re sharing. You can also add a password to a given file, so that even if someone intercepts that URL—by compromising the recipient’s email, say—you can keep it secure.
As for the encryption itself, Firefox Send uses the Web Crypto API. "They generate a key and then encrypt the file, putting the key into the URL that you share with your friend,” says Matthew Green, a cryptographer at Johns Hopkins University. “It looks elegant and a nice way to do things.”
Green notes that Send can still leak metadata like your IP address, what time you sent the file, and the file size, making it a potentially poor choice for whistle-blowers or other at-risk people. Similarly, while encrypting files in the browser makes Firefox Send singularly convenient, it also introduces potential risks.
“It’s not an extension or a web app or a plugin. You go to that website and it loads JavaScript inside the browser, and all the encryption is done in your browser,” says Kenn White, co-director of the Open Crypto Audit Project. “What that means is every time you hit their server, they could push new code. The problem is, the user doesn’t have any guarantees of what version of software that is.”
Compare that experience to an encrypted messaging app like Signal; you know what version you have on your phone, and how it behaves. A browser-based solution offers no such guarantees, and potentially exposes users to either server-side or man-in-the-middle attacks. White acknowledges that those scenarios aren’t likely, especially for the average user. But human-rights activists, journalists, and other potential targets should take it into consideration. “I don’t want a pinkie promise that you won’t do something,” says White. “I want to know that you can’t do something.”
Don’t let those caveats warn you off Firefox Send, though, if like most people all you need is a way to send financial or legal documents without worrying about what cloud you might have left them in.
“We’re sort of in between a cloud storage solution and something like [Apple’s] AirDrop, and that’s kind of the point,” Gruen says. “We’re trying to ride that line a little bit, and give people leeway in their use cases.”
Mozilla’s also trying to expand its reach—and its privacy-focused ideals—beyond Firefox, an aspiration that Send fits in with neatly. It provides comparable protection and functionality whether you’re on Chrome, Safari, or whatever else. “I personally don’t believe that our manifesto is exhaustively covered by a browser,” says Gruen.
Send still tries to draw people in, both by solidifying the Firefox brand’s privacy bona fides and encouraging people to create accounts. But fundamentally, it offers an apparently sound, secure service.