Wormhole encrypted file transfer app reboots Firefox Send after Mozilla fled
App's developers believe they can manage potential abuse
Earlier this month, a startup called Socket, Inc., launched Wormhole, a web app for encrypting files and making them available to those who receive the URL-embedded encryption key, without exposing the files to the cloud-based intermediary handling the transfer.
That may sound a bit like what Mozilla tried to do with Firefox Send, launched in 2017 and shut down a year and a half later. And that's intentional.
"Wormhole is a reboot of Firefox Send, but with many improvements," explained Feross Aboukhadijeh, a widely known open source developer and co-founder of Socket, in an email to The Register. "We loved Firefox Send and were so disappointed when it was shut down that we decided to rebuild it, but with additional enhancements."
Wormhole offers the same sort of free service: You load the app in your browser and select up to 10GB of local files. The files get encrypted locally and uploaded to Socket's servers. You're then presented with a URL that looks something like this:
The link can then be texted, emailed, or otherwise sent, allowing recipients to download the protected files for 24 hours in unencrypted form before the link expires.
Dropbox absorbs DocSend to add analytics, secure links to document sharingREAD MORE
But Wormhole has some improvements over Firefox Send, notably its support for instant streaming, which allows file links to be shared even before the file is fully uploaded.
"Wormhole uses super fast P2P transfer when possible, which comes in extra handy when both devices are on the same network (since data transferred over the local network is much faster than going out and back to the internet)," explained Aboukhadijeh.
Wormhole is intended to provide a more secure alternative to cloud service providers where uploaded files are not encrypted end-to-end. But Aboukhadijeh said he and his co-founder, developer John Hiesey, believe speed needs to accompany security.
"The sad truth is that for most people, an app with better security or privacy alone isn't enough to get them to switch from an insecure alternative," he said. "So we wanted to make Wormhole fundamentally better in other ways too. That's why we focused so much on making Wormhole faster than mainstream alternatives like Dropbox, Google Drive, and WeTransfer – all of which do not support end-to-end encryption and are slower than Wormhole."
In that, Wormhole succeeds admirably: It loads quickly and scores well in Google's Page Speed Insights test, which can be partially explained by the absence of ads and "creepy tracking" scripts, as the app documentation put it.
The app uses the same encryption scheme as Firefox Send – 128-bit AES-GCM encryption – to encrypt files before they leave the browser.
Managing the Layer Eight problem
The reason Mozilla cited for shutting down Firefox Send was abuse – Mozilla at the time said Send was used to distribute malware and conduct spear phishing attacks. Aboukhadijeh said he believes that will be manageable.
"We think it's encouraging that other products that offer end-to-end encryption like Signal and WhatsApp have managed to handle abuse, malware, and other threats," he said. "We plan to follow the same approach with Wormhole."
"If it comes to it, we may need to introduce client-side virus scanning to protect downloaders from malware, without sending files to our servers. There are many promising approaches we can explore if this becomes an issue."
As for demonstrating to potential users that Wormhole's security claims can be trusted, Aboukhadijeh said Socket plans in the coming days to open source the app's cryptography code for analysis by the security community and to launch a bug bounty program with rewards of up to $1,000. Longer term, he said, the plan is to hire security auditors to produce a formal report.
All that takes resources and perhaps unsurprisingly, there's hope for revenue from what's currently a free service.
"We're planning to introduce a Pro plan which offers larger file limits, customizable link expiration times, and additional features," he said. "Eventually, we may introduce other privacy-focused products which we may charge for as well."
An enterprise version of Wormhole, catering to industry-specific security requirements is also under consideration. Law firms, accountants, and medical professionals, Aboukhadijeh suggested, are ill-served by mainstream cloud storage services and current secure file transfer apps fall short of what they could be.
Asked why Wormhole was built as a web app, Aboukhadijeh expressed enthusiasm for the web.
In the past, he said, he's worked on innovative projects like WebTorrent that push browsers to their limits and he sees Wormhole in the same way. "We want to be an example of what a modern fast web app can do," he said. ®