The file will be deleted after someone downloads it or within 24 hours
Send based Web Cryptography JavaScript API with AES-GCM algorithm to encrypt and decrypt the client side. When asked if Mozilla could unlock the archived files, the company representative replied no.
'With Send, Mozilla will not be able to access the file users upload,' the company representative explained. 'A' fragment 'in the URL (the part after the # sign) contains an encryption key so the user can share it with others, but these fragments are not sent to the server when the user submits the request, so Mozilla will not get the key '.
Although this method can be secure, it is not perfect. AWS can recover deleted files or save them, the key can be returned from the log or messaging service that the user has sent it to the recipient.
Besides, it is still possible to improve security. Mozilla knows that the file name is sent as text, along with other information such as file size, that the company can use to evaluate the service. But the problem with the source code has been indicated on GitHub Issues, the current version of Send also sends the SHA256 hash code of the shared file as text, and it can be used to identify the file.
Responding to this, Mozilla engineer Danny Coates said that Send's security has been revised to reflect the hash function used and the code will be updated next week to remove the hash of the hash function.
'With the current functionality of the page, it is not necessary to send a hash function file as text, but we can test the feature that requires hashing of the file,' Coates said, 'it is used to test Check uploads from malicious databases'. It also needs to check the hash function related to the image or video that violates the law.