I've been building a fully featured CLI tool for Firefox Send, supporting this new release.<p>For anyone that is interested: <a href="https://github.com/timvisee/ffsend" rel="nofollow">https://github.com/timvisee/ffsend</a>
In the not so recent past, HN'ers loved to quote tptacek's legendary rant about how in-browser JavaScript crypto is fundamentally broken[0].<p>What changed? Is that rant finally outdated? Couldn't Mozilla at any time serve a corrupted JS bundle (with or without their knowledge) which would leak the key somewhere, silently replace the encryption by a noop, etc?<p>I ask out of interest, not skepticism. I much prefer an internet where we can trust web apps to do proper crypto than one where we have to depend on some app store to somewhat adequately protect us.<p>[0] <a href="https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/" rel="nofollow">https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...</a>
Is the source available for this? A self-hosted version of this would be nice...<p>(Update: Yep, just found it: <a href="https://github.com/mozilla/send" rel="nofollow">https://github.com/mozilla/send</a>, just before the comment below was posted :))
I've used Firefox Send for several months while it was still a test pilot program. It's been very useful for quickly sending files to family. The fact that the link expires as soon as the other party downloads it means I don't have to worry about clean up.
If relevant Mozilla people are here: Send does not work if "Delete cookies and site data when Firefox closes" checkbox in FF preferences is checked. Even the page doesn't load [1]. It surely is a bug, because I am not closing Firefox.<p>That checkbox is #1 reason I only use Firefox.<p>[1] Developer console log output: <i>"Failed to register/update a ServiceWorker for scope ‘<a href="https://send.firefox.com/’" rel="nofollow">https://send.firefox.com/’</a>: Storage access is restricted in this context due to user settings or private browsing mode. main.js:38:10
SecurityError: The operation is insecure."</i>
a bit off topic but here it goes...<p>This is how i think Mozilla can capture more users back to Firefox. By providing "extra" services attached to the Mozilla and Firefox brand will make them a superior product to the end user.
Sure it's hard to compete with Chrome but if you offer useful features and services integrated in your Browser i see that Mozilla actually has a chance to compete with Google for the browser space.<p>This is one of the "advantages", if you are a heavy Google user, of Chrome over the competition is that everything is attached to your Google account. Passwords, history, spellers, dictionaries, shortcuts, etc...<p>If Mozilla comes with Send, Notes, Password Manager all integrated in Firefox i see a good way to bring back some of the previous users that switched to Chrome.
I don't understand the end-to-end encryption claim.<p>1. Bob uploads a file, but specifies no password.<p>2. ???<p>3. Sue downloads the file.<p>Best case, Bob's browser encrypts it (with javascript?) before uploading. Either Mozilla provides a key, or Bob sends the key he used. When Sue's browser downloads it, Mozilla sends the key and her browser decrypts it client side.<p>In either case, Mozilla has the password for decryption. This makes a mild barrier to mass scanning content that's uploaded, so at least that's something... but that's little more than a promise I have to trust.<p>Am I missing something? Where is the "end-to-end" encryption? End-to-end means I don't have to trust you (as much). Please don't turn this into a meaningless buzzword...<p>EDIT: I did misunderstand something. Please see timvisee's comment below.
It doesn't exactly meet the needs of "sending files to a non-technical person", but Magic Wormhole [0] has been truly great for flipping files around between me and anyone who is capable of being trusted to run `pip install --user pipe && pipe install magic-wormhole`. This is by no means everyone, but it's been very useful quite often.<p>[0] <a href="https://magic-wormhole.readthedocs.io/en/latest/" rel="nofollow">https://magic-wormhole.readthedocs.io/en/latest/</a> has
> Key Business Question to Answer: Is the value proposition of a large encrypted file transfer service enough to drive Firefox Account relationships for non-Firefox users.<p>The metrics section is interesting <a href="https://github.com/mozilla/send/blob/master/docs/metrics.md" rel="nofollow">https://github.com/mozilla/send/blob/master/docs/metrics.md</a>
This is perfect! I'm currently taking a networking class where we generate trace reports, and I've just realised how tricky it is to send files without logging in (I'm just averse into doing that in a machine that's not mine). I can email my trace files, but I need to login, I can store in dropbox/drive, but again I'll have to login.<p>I wish they added a QR code option as well. It would be perfect for quickly copying the link by snapping it with my phone so I can download later.
I really don't understand why they didn't share a link to the repository in the article. For anyone who's interested - here it is: <a href="https://github.com/mozilla/send" rel="nofollow">https://github.com/mozilla/send</a>
The same idea (e2e decryption key in fragment/hash) is used by the self-hosted Lufi. Public instances are running at <a href="https://upload.disroot.org/" rel="nofollow">https://upload.disroot.org/</a> and <a href="https://framadrop.org/" rel="nofollow">https://framadrop.org/</a> and the code is here: <a href="https://framagit.org/fiat-tux/hat-softwares/lufi" rel="nofollow">https://framagit.org/fiat-tux/hat-softwares/lufi</a>
Maybe someone can comment on how Lufi compares to Firefox Send (performance, usability?)<p>I also think the blog post could explain more why and how the e2e encryption works. Maybe just by showing an example link and then highlight with colors "this part is private"?
This is awesome for sending private documents to family (tax season, anyone?), especially when your family isn't inclined to learn cryptography to set up their own solution. Will be trying this ASAP.
Open source peer-to-peer solution in the browser using WebRTC: <a href="https://file.pizza/" rel="nofollow">https://file.pizza/</a>
If I've got this right, the file is encrypted using a secret key which is generated on the client and appended to the anchor in the link, like:<p><a href="http://send.firefox.com/download/<fileid>/#<secret>" rel="nofollow">http://send.firefox.com/download/<fileid>/#<secret></a><p>Anyone who obtains the link (e.g. via email interception) gains access to the file.<p>Since browsers don't transmit the anchor when requesting a resource [1], Firefox servers never see a copy of the key. Provided you trust their JavaScript.<p>[1] <a href="https://stackoverflow.com/questions/3067491/is-the-anchor-part-of-a-url-being-sent-to-a-web-server" rel="nofollow">https://stackoverflow.com/questions/3067491/is-the-anchor-pa...</a>
Neat!<p>How do they handle abuse though? Like, people using it to host, say, pirated TV shows? Maybe a max download limit that makes it impractical for that use case?
Another neat feature actually built into Firefox is Take a Screenshot. To the right of the URL field, in the three dots menu. Option to save it locally, or save in the cloud with a URL with some expiration options. Sorta like a pastebin for screenshots.<p>It only takes screenshots within the confines of a Firefox window.
It would be really amazing to build some sort of integration in commonly available WiFi connected scanners and printers.<p>Currently, my scanner conveniently sends me emails with scanned documents. But I have not insight into how they actually store and delete the document on the backend.<p>Would be great if the scanner had the option to upload to Firefox Send and show me a QR code to download it on other devices.
How is this using end-to-end encryption? It seems like the recipient just clicks a link to download. How can it have been encrypted for that person? end-to-end encryption normally means that there's no way for the intermediary to unencrypt the data but I can't see how that's possible in this case.
Much of the data I share with friends using dropbox is on time-limited data in the 1-2 GB space.<p>For certain reasons I get a ton of dropbox space, but for my friends, data quotas kick in on even simple files shared like this.<p>I believe this is a primary upgrade mechanism for DB--I'd say this new firefox offer is in competish.
I had the expectation that it would use WebRTC before opening the link, disappointed on that side. But really glad of the privacy minded offer. I appreciate Mozilla's work and effort towards a more private and encrypted internet!
Sharesecret (my company) provides a similar service, along with a slack extension for anyone who needs a commercial product. <a href="https://sharesecret.co" rel="nofollow">https://sharesecret.co</a>
I wonder if they've fixed the issue where one can force reuse of a link by slowing down a download, and sharing the URL ? Hence turning it into a cheap file hosting service:<p><a href="https://news.ycombinator.com/item?id=15450524" rel="nofollow">https://news.ycombinator.com/item?id=15450524</a><p>I haven't been able to upload a file to try.
For senders and recipients who have execution privileges, OnionShare has:<p>Much lower trust assumptions<p>Functionality for dropboxes<p><a href="https://onionshare.org/" rel="nofollow">https://onionshare.org/</a><p><a href="https://github.com/micahflee/onionshare" rel="nofollow">https://github.com/micahflee/onionshare</a>
This is cool, but I’m wondering if there is some sort of “secure drop box” equivalent. Basically I generate a set of GPG keys, anyone can post to a web form which encrypts the uploaded data, in browser, using my public key, and uploads it somewhere (my server, s3, Dropbox, doesn’t matter as the private is local on my computer). I could then download the files, decrypt them locally and use them.<p>We get a lot of customers who want to send us secure data (customer info, etc...) and I’d love a way to make it easy for the customer but still secure.<p>Does something like this exist, or is this still a pipe dream? Basically FF send, except I provide a known public key to use, rather than it being generated on the fly, requiring the user to find a way to send it to me out-of-band.
I'm working on a file sharing product, for the niche use case of sharing documents between family and professional providers (lawyers, accountants, etc).<p>Documents are mostly emailed to recipients at the moment (unless they're too large, in which case... um....). The main problem we see is that you end up storing documents in email attachments on your email provider, and using email search tools to try and find documents.<p>Would this end up the same, only with all documents ending up in the Downloads folder?<p>Am I wasting my time working on creating a cloud storage sharing solution, and be better working on a method of organising files on the drive, that can also send them to other people?
As I understand it, this "guarantees" privacy by embedding the key in the link-- if that's generated client-side, it never gets sent to Mozilla's servers (assuming they don't go out of their way to grab it via JavaScript) and you can have end-to-end encryption.<p>But, if I'm logged in, it looks like Mozilla's storing that fragment on their servers: if I upload a file from one browser, then sign in on a different browser, I can see the link I generated (including the fragment) from the first browser in my list of uploads, and I can download the file.<p>Doesn't that negate their end-to-end encryption if Mozilla servers have access to the keys?
I'm surprised that no one raised their concern about javascript encryption. Usually, some will point out that the user will have to trust the delivered client side code first. Has javascript encryption finally got mainstream now?
In the past, I used <a href="https://volafile.org/" rel="nofollow">https://volafile.org/</a> for sharing files that will be deleted within a week. Volafile doesn’t do end-to-end encryption like Firefox Send, but it allows you to upload files over 2.5 GB.<p>Volafile’s multi-file “room” functionality, with chat, makes it more suited for sharing files among multiple people, while Firefox Send is optimized for sending a single file to a single person or a targeted group.
Bur Firefox is a browser. Why would you associate this with Firefox instead of making it a Mozilla service? It only leads to the Firefox brand deteriorating even more quickly.
Wow, this is really awesome and really cool! First I've heard of it. Just tested it and it worked great.<p>Is it possible to audit the tech? Is Firefox send open source?
Non-descriptive headline. Borrowing some copy from the announcement makes it better:<p>"Firefox Send: a free encrypted file transfer service"
Relatively new, are additional expiration options:<p>1 to 100 downloads, 1 is the default; or 5 minutes to 7 days, 1 day is the default. And an option to protect with a password.<p>Upon expiration, entering the URL behaves the same as if you enter a bogus URL, it's basically denied to have ever existed, i.e. it doesn't say this URL has expired.
I keep seeing comments about Search Revenue and keeping this free. It would be useful if Mozilla is getting more Firefox users out of it, but it likely won't be in any significant number.<p>So what happen once this get popular and waiting to be abused? Just like Mega. Who is going to continue and foot the bill?
That sounds great!<p>Tutanota also provides free encrypted file transfer service.-- Tresorit Send:<a href="https://send.tresorit.com/" rel="nofollow">https://send.tresorit.com/</a> ,which allows you to upload and share up to 5GB files using the same end-to-end encrypted technology.
There's croc with relatively small binary for all non-mobile platforms:
<a href="https://schollz.com/software/sending-a-file/" rel="nofollow">https://schollz.com/software/sending-a-file/</a>
Why does it have upload limits at all? Your client encrypts it, the data is sent over your internet connection to someone else's, their client decrypts it. Why would the data pass through Mozilla's servers?
I've used firefox send many times since its introduction as a pilot. I applaud its simplicity. The workflow is basically upload, send message/email containing the link, download.
In one of their videos, the URL is www.send.firefox.com - the others drop the www - is this intentional, a mistake? Why would someone use www before a sub domain like that?
They could also offer a realtime webrtc solution like snapdrop.net . Although i m not sure that works, it didn't work between my phone and desktop.
Ah man, I literally came up with (and prototyped) this exact thing in 2013. Minus the end to end encryption. I dropped it mostly because I wasn't sure how to prevent illegal use and didn't want to be liable.<p>Edit: mine was actually (partially) better because it assigned a short PIN instead of a full link, which meant you could just look at it and remember it for typing-in, instead of requiring a separate channel to "send" the link.
been using this for several months. have used it to send all kinds of files be it malware to large files. it used to accept everything. but now it asks for sign in.. why would they do they though
I wonder if they're running some malware scanners plus do they have to comply with DMCA takedowns? Based on what I see, the files are hosted on their servers, so they kind of have to, no?
File Transfer <a href="https://xkcd.com/949/" rel="nofollow">https://xkcd.com/949/</a><p>Hope Firefox Send solves this ever present problem ;)
I can't believe that there isn't a simple service to transfer data between my cellphone and my computer without going through the internet. iTunes is terribly bloated, MTP is a mess, and Bluetooth is slow and frustrating.<p>Back in my hacker day I used to have an SSH server open on my cellphone and use it to transfer files back and forth with my computer. Why isn't there a mainstream service like that?
How "private" is it? Do you store metadata? i.e. if I upload a file and it expires, do you also delete any trace of me, including my IP address?
I wish Mozilla focused on core Firefox functionalities instead of coming up with so many small side projects that don't target their typical audience. Since Chromium-based browsers are not an option, many of us are stuck with Firefox as the only remaining choice. But even Firefox has to be heavily customized before it's completely deGoogled and stops contacting various motherships.<p>As a side note Nightly build for Ubuntu has been broken since version 61 and there's no sign of any effort to fix it.
I must say I am disapointed.<p>I thought this would be some cool realtime system to send from browser to browser, using WebRTC or something. Something that doesn't involve them paying for file servers, by the way.<p>I believed in Mozilla ! But no, here we are and I just don't see the difference between this and Mega.<p>EDIT: except for the auto-deletion trick that addresses the piracy problem. But still...
This project sucks. Another bullshit firefox.com product that reinvent something existing and well established (eg. Jirafeau or Lufi). I hate so much what Mozilla become.