One arrow hit two targets: Mozilla wants to share and want to encrypt the file

Send solves the problem that is quite common, it is sending heavy files via email. Email services limit attachment sizes, and while many services continue to do so - such as Gmail with a maximum limit of 25MB - many names like Apple or Google have begun. Use the same service as iCloud or Drive to support the download of content.

However, Send offers an alternative solution for sharing files up to 1GB, content is encrypted and the interface is very simple.

Send is part of Mozilla's Test Pilot program to evaluate experimental features on the company's Firefox browser. However, it can also work on other modern browsers.

Send is based on Node.js code, followed by Redis database running on Amazon Web Services. After selecting the file, the software will encrypt the file on the client side, upload it to AWS and create the URL containing the decryption key that the user can share with the recipient.

'Every link sent will expire after one person has downloaded it or within 24 hours, all files sent will be automatically deleted from Send's server,' Mozilla explained.

One arrow hit two targets: Mozilla wants to share and want to encrypt the file Picture 1
The file will be deleted after someone downloads it or within 24 hours

Send based Web Cryptography JavaScript API with AES-GCM algorithm to encrypt and decrypt the client side. When asked if Mozilla could unlock the archived files, the company representative replied no.

Mozilla does not have the decryption key

'With Send, Mozilla will not be able to access the file users upload,' the company representative explained. 'A' fragment 'in the URL (the part after the # sign) contains an encryption key so the user can share it with others, but these fragments are not sent to the server when the user submits the request, so Mozilla will not get the key '.

Although this method can be secure, it is not perfect. AWS can recover deleted files or save them, the key can be returned from the log or messaging service that the user has sent it to the recipient.

Besides, it is still possible to improve security. Mozilla knows that the file name is sent as text, along with other information such as file size, that the company can use to evaluate the service. But the problem with the source code has been indicated on GitHub Issues, the current version of Send also sends the SHA256 hash code of the shared file as text, and it can be used to identify the file.

Responding to this, Mozilla engineer Danny Coates said that Send's security has been revised to reflect the hash function used and the code will be updated next week to remove the hash of the hash function.

'With the current functionality of the page, it is not necessary to send a hash function file as text, but we can test the feature that requires hashing of the file,' Coates said, 'it is used to test Check uploads from malicious databases'. It also needs to check the hash function related to the image or video that violates the law.