Yesterday, Mozilla released one of its experimental projects, Firefox Send, to the final version which is available to the general public.
Firefox Send is a simple and secure service for sharing encrypted files. The service looks simple, but the engine running under it provides true end-to-end encryption, meaning it doesn't openly transfer files anywhere.
Files shared by the Firefox Send service are specifically encrypted on the client side (sender) and decrypted on recipient's computer (JS in browser).
So its operation may look a bit similar to Firefox Sync, which implements a similar architecture.
The server code is hosted on GitHub under the MPL 2.0 license (Mozilla Public License), which allows anyone who wants to implement a similar service on the computer under control.
For, encryption, the Web Crypto API and the AES-GCM block encryption algorithm are used (128 bits).
For each download, a secret key is first created using the crypto.getRandomValues function, which is then used to generate three keys: a key to encrypt a file using AES-GCM, a key to encrypt the metadata using AES-GCM, and a key of digital signature to authenticate the request (HMAC) SHA-256).
The encrypted data and the digital signature key is uploaded to the server and the secret decryption key is displayed as part of the URL.
When specifying a password, the key for the digital signature is generated as a PBKDF2 hash from the entered password and a URL with a fragment of the secret key (The password specified by the user is used to authenticate the request, that is, the server will only provide the file if the password is correct, but the password is not used for encryption.)
About Firefox Send
This service was originally released in 2017 as part of the Firefox Test Pilot program, but now Firefox Send is now morphing into a product of Mozilla's broader offering. At the same time, the service has been improved.
Firefox Send support files up to 1GB for users who do not want to register while the service can allow the sending of files of up to 2,5 GB after logging into the Firefox account.
In addition to end-to-end encryption, the files shared by this service can also be protected with a password, as well as being able to implement two other restrictions
The first one is the total number of times the file can be downloaded shared by Firefox Send before it is automatically removed.
Another restriction that can be implemented the useful life of the link which goes from:
- 5 minutes
- 1 hour
- 1 day
- 7 days
By default, there is a limit of 1 download and 1 day. That is, if the recipient did not follow the link for a day, it is deactivated. And if you have, it will still be disabled.
The developers write that the service is ideal for sharing presentations or other work files with colleagues.
They just get the link, click on it and download the file, they don't need access to the Firefox account or special crypto knowledge (like you were encrypting the file with PGP and sending it through the mail).
Where can I use the Firefox Send service?
The service can be used directly from your web browser in the following link
By the way, while the service was in beta, it was written an open source CLI interface to easily encrypt files from the command line.
It allows you to automate this procedure and seamlessly integrate into your work tools.
The program also supports a bunch of useful functions like archive directories, file history, and different hosts for shipping (that is, you can use your own server or hosting, not the Mozilla server).
It is worth noting that at the moment there are already several cloud solutions for sharing encrypted files, including from Microsoft.