This is the Send, encrypted end-to-end, this is the Send, my Mozillan friend

Mozilla's Firefox Send, a free encrypted file sharing service, graduated from test to official release on Tuesday after a year and half of refinement.

Available on the web at send.firefox.com and soon through an Android app, Send first appeared in August 2017 as a way to encrypt local files and store them on Mozilla's servers, provided by AWS, for retrieval with a one-time use URL.

The generated URL, displayed in the browser or app after the file has been locally encrypted and uploaded, is meant to be shared with the intended recipient of the file via email, instant messaging or other means.

Initially, Send supported files of up to 1GB, which it made available as downloads through the generated URL. And after one use, the link no longer functioned.

The official release maintains the 1GB size limit but supports up to 2.5GB for users signed in to a free Firefox Account. It also expands the number of times the shared file can be downloaded.

Users can now select from a handful of possible times a link can be used – 1, 2, 3, 4, 5, 20, 50, 100. File availability is also limited by time, depending upon which preset menu value is selected – 5 minutes, 1 hour, 1 day, and 7 days. These settings, however, can be changed to arbitrary values in the loaded HTML for the page prior to submission using Chrome's Inspect option or Firefox's Inspect Element.

"Send uses end-to-end encryption to keep your data secure from the moment you share to the moment your file is opened," said Nick Nguyen, Mozilla's VP of Firefox Product, in a blog post.

"It also offers security controls that you can set. You can choose when your file link expires, the number of downloads, and whether to add an optional password for an extra layer of security."

On the inside

The service relies on the Web Crypto JavaScript API with the 128-bit AES-GCM algorithm to encrypt files locally before they're sent to the cloud.

"Send uses the Encrypted Content Encoding defined in RFC8188 to encrypt files," a Mozilla spokesperson explained in an email to The Register. "We generate a random 256-bit key that gets included in the hash portion of the share URL so that it can be shared without us (Mozilla) knowing what it is."

The 128-bit AES-GCM key is used for the file and file metadata; the HMAC SHA-256 signing key is used for request authentication, as can be seen in the source code.

Mozilla also collects a limited amount of client and server information during Send interactions, detailed on its metrics page and in its privacy notice.

The anchor tag of the URL – the part after the # – contains the decryption key, which isn't typically sent to the server but can be extracted via JavaScript. If the Send page is compromised, or if Mozilla decides to capture user keys, anyone in control of the Send application code could potentially modify it to read a submitted key via the browser's window.location.hash variable.

However, Mozilla has made the source code available. So if using Mozilla's version of Send, which runs atop Google Cloud Platform, seems too risky, users have the option to run their own instance on other cloud services like AWS (which hosted Send initially) or on a local machine sporting Node.js 10+.

The Register asked whether Mozilla does any sort of file hashing to check uploaded images against known unlawful content. Mozilla's spokesperson didn't have an immediate answer about that but said using Send for illegal purposes is against the company's terms of service.

The browser maker does occasionally receive subpoenas in conjunction with the use of its services and publishes a limited amount of information about this in its periodic transparency reports.

In countries where technology providers can be forced to provide technical assistance to authorities, there may be additional threat scenarios.

For Mozilla, Send represents a way to encourage people to create Firefox Accounts and to build a relationship with people who make informed technology choices (as opposed to those who use whatever is installed by default and don't care about their tools). Services like Send may end up becoming more important to Mozilla as the seemingly irresistible gravity of Google Chrome pulls people away from Firefox.

There are already many ways to send files with varying degrees of security, some more verifiable than others. These include Ceph, Signal, WhatsApp, DropSecure, OnionShare, Cryptomator and wormhole, to say nothing of the big cloud companies' file storage services or protocols like SFTP. What Send offers is simplicity from a fairly trusted brand and the power to run the code yourself if you're so inclined. ®