For anyone that is interested: https://github.com/timvisee/ffsend
At any rate, the tool works! Thanks so much.
I wasn't fully ready with this tool for the Firefox Send release to be honest, would have loved to be able to provide better binaries and packages for more platforms, which are a work in progress.
If you believe you can improve the README with your solution, be sure to submit a [PR](https://gitlab.com/timvisee/ffsend/).
Happy to see it's working! :)
linker = "/home/drewg123/bin/cargo-ld"
exec /usr/bin/ld -L/usr/local/lib $*
So I can have /usr/local/local/local/local...? :)
disclaimer: I haven't used either cli version.
Mind if I port this to JS?
You are free to port the project to JS as long as you follow the applicable licenses: https://github.com/timvisee/ffsend/blob/master/LICENSE
Along with ffsend, you can use any browser to upload/download files through https://send.firefox.com/ as well.
What changed? Is that rant finally outdated? Couldn't Mozilla at any time serve a corrupted JS bundle (with or without their knowledge) which would leak the key somewhere, silently replace the encryption by a noop, etc?
I ask out of interest, not skepticism. I much prefer an internet where we can trust web apps to do proper crypto than one where we have to depend on some app store to somewhat adequately protect us.
The main thing is that unless you're paying really really close attention to the JS that you're executing, you can't trust this any more than you can trust Mozilla and the security of whatever computer is serving their pages. I wouldn't use this for sending data that you're trying to hide from a nation-state, but it looks like a great option if you want to send a video to your grandma without posting it publicly on the internet or teaching her how to use GPG.
I have Signal running on my Linux computer and on my Android phone. On the Linux computer it doesn't have root access, but it does have access to its own files, so in theory there's nothing to prevent it from making a network request and updating itself. Additionally, I don't ever check Signal before installing a new update, I just blindly do it.
On my Android device, I also have auto-update turned on, because my only option is to turn it on for every app or none of them. So there's nothing to prevent Signal from updating itself and changing the crypto. If I were on an iOS device, I wouldn't even have that option -- to the best of my knowledge you can not turn off app auto-updates on an iPhone, but maybe someone can correct me if I'm wrong. In any case, it doesn't matter that Signal is updated "rarely". An attacker only needs to install one back door, they don't need to update it a hundred times.
So for an extremely typical user like me, who has been taught for as long as I can remember that the most secure thing you can do on an OS is install updates as they come in when they come in, doesn't Signal have the exact same problems as Mozilla? If someone compromises Signal's servers, can't they add a side-channel just as easily?
In theory, I could disable auto-updates and only update Signal when I looked at the source code, just like in theory I could examine the JS that I'm executing every time I connect to a site. But in practice, I don't.
When I read tptacek's rant nowadays, the immediate thing I can think is, "The web is malleable? Literally every single computing environment and device I own is malleable." It feels like if I were to take tptacek's advice to its logical conclusion, I would just conclude that ETE encryption in general is dead.
I would assume Signal to have a proper signing infrastructure in place, so that the keys used to sign new releases are not available to the server hosting/deploying the actual update files (or providing them to Google/Apple for that matter). So simply taking over that server would not be enough, as malicious updates could not be installed.
Assuming Moxie goes over to the dark side, however, you are screwed. There's nothing stopping your Signal app from bundling all your plaintext messages once you've entered your password and sending them off to China, save maybe a firewall you have in place. Google or Apple might stop such an update during their reviews, but I wouldn't bet on it.
Again, please correct me if I'm wrong, but Windows doesn't do anything with signing app updates, does it? Come to think of it, I'm not 100% sure my Linux version has this either, since Signal isn't being distributed as part of the official repos.
If Signal is being updated on Windows without validating any kind of signature, could a compromised server even pull off the "send a malicious payload to only one IP address" attack that people talk about with the web?
You can always implement signing yourself, though, without relying on somebody else's infrastructure. Just include the public key in the app itself and use it to verify your updates are properly signed by your private key before accepting them. I haven't checked but assume/hope Signal is doing this with their updated JS packages.
If none of this were to happen, however, then the answer to your last question is "yes", though with a caveat: If Signal's servers are compromised and push out a malicious update, then all bets are off, as the app running on your system has access to all your unencrypted messages. If the compromised server is only one of the messaging/relay servers, however, things are not as bad, as they don't have access to your keys and thus can't decrypt your messages. They can still forward them somewhere else for later decryption, but thanks to perfect forward secrecy this is currently rather unrewarding.
E2E encryption is still valuable, because assuming that the codebase is delivered/signed separately from its app servers, it decreases the number of available attack points. It's usually easier to secure code delivery than it is to secure your entire backend/database. It's even easier than that to secure a private key that you never put on your delivery servers in the first place.
JS has some additional concerns regarding stuff like Spectre and random number generation, but ignoring those for a sec, E2E encryption is in theory viable and valuable on the web, assuming you've split your backend from your code delivery endpoint and are taking extra steps to secure those specific code delivery servers.
Is that a reasonable interpretation?
Open the Signal store page and click the dots in the top right of the screen and untick Automatic Updates.
I didn't know that, and there are a few apps that I definitely want to use this with. Why on earth isn't this part of the general settings?
In particular: you'd hope that WebCrypto would have changed things a bit, but, of course, it doesn't: it leaves all the cryptographic joinery up to content-controlled code. You're probably somewhat less likely to have side-channel flaws if you use it, but in reality timing side-channels are more talked about than seen. Who would bother, when they can just deliver a script that exfiltrates secrets directly?
I think you should consider hoisting more of this stuff out into standalone blog posts that you can flesh out and also update as circumstances warrant. I don't think I'm the only one who has learned a lot from reading you, but often felt myself wishing it had been dumbed down a shade for beginners.
Maybe the best argument for it is that blog posts remain mutable and you can add and expand as necessary, unlike these HN posts that are frozen in amber.
I'll work on it.
And, well, you may disagree but to me it definitely reads like a proper rant :-)
Please note that I chose the words "legendary rant" with all the love imaginable and I had hoped you'd interpret it as nothing other than a compliment. I much appreciate your contributions to HN and the internet as a whole.
mind pointing to or sharing them?
Your points around a compromised JS bundle are still possible but that has more to do with a company’s deployment/change management setup than JS itself imo
But that's the only point I intend to address here. If Pascal had been the language of the web then my question would have been about Pascal.
Therefore I don't see how SubtleCrypto changes matters much.
In short, if I get it right, the argument would be that in eg a mobile app, all the e2e logic (the core crypto plus the code around it) go through peer-review, then some release management process, then some review by Apple or Google, before it lands in my hands via their app stores' well secured delivery mechanism. In a web app, a single compromised server will compromise all security instantly. Generally I'm fine with trusting Mozilla's servers, but if I have to trust their servers then what's the point of end to end encryption?
This is only true if the server has access to the keys of your data. E2EE typically means that it doesn't, only you do.
Here's a site where you can test your browser's compatibility with many combinations: https://diafygi.github.io/webcrypto-examples/
In our case we aren't doing crypto inception where the cryptography is meant to secure itself. The crypto is being served securely (by ssl) and then used to solve the separate unrelated crypto problem of encrypting random files.
I haven't looked at the details of how Firefox Send works, but if you can download and decrypt the file with nothing more than an https:// URL, it seems like you'd have to trust the server, either to handle the cleartext or to provide trustworthy code to handle the cleartext.
I suppose an alternative would be to generate a data: URL, but if it has to include all the crypto code, I wouldn't expect it to be nice and compact.
Sounds like a challenge for the code golfers.
Compare with native tools which you only download once, can check its signatures and which strive for reproducible builds so that multiple parties can verify them independently.
Now I see a similar issue with security experts preaching that merely possessing a single piece of software with a single thing they classify as a 'vulnerability' implies you will be murdered within the next 24 hours, and it seems they'll happily DoS your computer, get you fired from your job, take your second newborn, and blow up your computer in your face if that's what it will take to make you finally feel real danger. Not sure why it takes people so long to see that reality isn't black-and-white, but better late (hopefully) than never.
Humans are always the weakest link with the internet and someday, sometime, bad code (unknowingly) will be pushed and something will happen to someone.
(Update: Yep, just found it: https://github.com/mozilla/send, just before the comment below was posted :))
Data is encrypted at client and a url with a key is generated.
Can be used 'burn after reading or with some specific lifetime.
EDIT: Apparently there's a way to use filesystem instead of S3, it's just not well documented.
I recently implemented a text/snippet sharing tool that uses Minio instead of S3, because I like to self-host everything.
In my case I have Minio in front of Azure blob storage, so Seafile is storing data in that.
I host Seafile and Minio using Docker Compose, which was super-simple to get started with.
I've used one-time-link services sometimes, and posting the link to Slack causes Slack to make an HTTP fetch looking for metadata, which then invalidates the link.
Then, any automated system which sees the link cannot accidentally cause the file to be "downloaded" which would cause the link to be invalidated. They can see the link itself, but they don't have the password, therefore they can't download the content to scan it.
I have used onetimesecret.com a number of times in this way.
It's a very common and easy to anticipate issue, I'm surprised that there are any one-time-link services left that suffer from it.
But to answer your question, I uploaded a 100mb+ file to FireFox Send, copied the link, RDPd into another computer, kicked off the download, and then cancelled it midway through download. The link did expire after that.
So I guess they don't have an easy way of telling whether the download is successful or not. Maybe Mozilla's engineers can figure something out if the issue is raised.
Firefox might consider keying off the initial IP seen upon retrieval and extending the TTL of the object until the final byte has been retrieved.
There's probably enough complexity and possibility for abuse in allowing automated requests for files again (i.e. a button on the view page) or special logic for second attempts that the safest option is just to have the receiving party ask for the file again through whatever medium originally kicked off the request (an email, an IM, etc).
Firefox could do any number of things to make it easier on the user, but I expect them to take my security and privacy very seriously and to error on the side of those ideas rather than usability, so hopefully if they come out with something it's not at odds with those goals.
In an ideal world, partially-downloading the file would expire the link, but the server would still allow the file download to be resumed (but not restarted).
That checkbox is #1 reason I only use Firefox.
 Developer console log output: "Failed to register/update a ServiceWorker for scope ‘https://send.firefox.com/’: Storage access is restricted in this context due to user settings or private browsing mode. main.js:38:10
SecurityError: The operation is insecure."
I block _all_ cookies except for a small list of sites (like HN...).
This is how i think Mozilla can capture more users back to Firefox. By providing "extra" services attached to the Mozilla and Firefox brand will make them a superior product to the end user.
Sure it's hard to compete with Chrome but if you offer useful features and services integrated in your Browser i see that Mozilla actually has a chance to compete with Google for the browser space.
This is one of the "advantages", if you are a heavy Google user, of Chrome over the competition is that everything is attached to your Google account. Passwords, history, spellers, dictionaries, shortcuts, etc...
If Mozilla comes with Send, Notes, Password Manager all integrated in Firefox i see a good way to bring back some of the previous users that switched to Chrome.
Currently, I need to set up my own email hosting through a service like fastmail and then configure a desktop client(like Thuderbird) to use it.
A Mozilla Gmail-esque service would remove a lot of the friction there and probably bring in a bunch of users who are tired of google running everything.
We don't need another AOL Chrome.
How is that different from the complaints people make about Chrome tightly integrating with Google?
As a Chrome user I can confirm. But for me the main raison I use Chrome is for the dev tools a found them better than FF
1. Bob uploads a file, but specifies no password.
3. Sue downloads the file.
In either case, Mozilla has the password for decryption. This makes a mild barrier to mass scanning content that's uploaded, so at least that's something... but that's little more than a promise I have to trust.
Am I missing something? Where is the "end-to-end" encryption? End-to-end means I don't have to trust you (as much). Please don't turn this into a meaningless buzzword...
EDIT: I did misunderstand something. Please see timvisee's comment below.
Browsers don't send the anchor tag (ie: with GET requests). FF Send takes advantage of this by using the anchor tag to store the key for decryption.
That is kinda novel. You still need to trust the upload client to not leak the key, but I see that you've written a CLI version. Interesting! Thanks for the response.
More seriously, did they do anything to fix this obvious design flaw? If they want to fish a key they can just serve you a modified JS file and retrieve the key. Unless of course you chose to audit the JS served every time you browse the website.
So you have to send the link through some previously-negotiated secure channel. At that point, why not just send the file through that channel? Is it because signal/whatsapp/etc don't allow large files or because the interface is cumbersome?
I think this fills the gap for when you want to share not-critically-secret stuff with non-technical people and would today likely send it over something like e-mail, Drive or Dropbox.
If anything it's probably harder to understand for a somewhat semi-technical person who probably has started to think about encryption and so on but hasn't got far enough to spot that oh - the secret key is in the URL itself as an anchor and so the URL is the secret.
Computer Security is often nicer here than real world physical security, because we are often able to make the extreme cases so implausible as to be irrelevant, enabling intuitive statements to be true in practice rather than subject to endless caveats.
For example a lay person sees a padlock and they imagine that it cannot be opened except with the padlock key. And this is untrue in lots of ways - so a more technical person may think of some of them, and identify that this particular brand of padlock defends against those well, but not realise that other problems are undefended.
So this means the truth about the padlock has to be more nuanced and relative. Breaking the lock open with tools is "difficult". Picking the lock "cannot easily be done in under a minute". But lay people don't like nuanced, relative statements. It sounds a lot like this padlock won't really stop someone stealing my bike! That's because it won't.
But in computer security we often can make these cases irrelevant in practice. What if someone just tries all the key values for this AES encryption? That's fine, there are so many that even if they could try as many as there are grains of sand in the world, every second, the sun would burn out long before they had a meaningful chance of guessing the right one.
This fills a handy gap for a lot of people with smaller needs.
> This fills a handy gap for a lot of people with smaller needs.
You point out exactly the problem: the people who are technical enough to deal with GPG's UX competently are also technical enough to evaluate whether they should put a particular document through this Send service.
I don't think nontechnical people have "smaller needs".
I'm working on documenting the code now before I release on GitHub, but it works on the same premise :)
WebCrypto is mana from the gods...
I think the scheme is fairly robust against passive interception though.
 https://magic-wormhole.readthedocs.io/en/latest/ has
What am I looking at here? On PyPI 'pipe' is listed as a "Module enablig a sh like infix syntax (using pipes)", and magic-wormhole's own docs just say to install with pip like anything else.
`pipx` is a convenience utility for installing cli python tools in separate virtual environments and then being able to update them nicely: https://github.com/pipxproject/pipx
So i meant
`pip install --user pipx && pipx install magic-wormhole`
That is, who's paying for the server storage and the bandwidth?
I remember sending a signed PDF via Firefox Send and was at first horrified when I realized I couldn't get the file back after 24 hours but then relieved knowing that the recipient got it and then it disappeared from the internet. Very cool!
If this were on AWS it would be around $0.09 per GB for downloads.
From this it seems that their moneymaker is the new Firefox account creations that will be driven by this service, to whom they can then upsell. But it doesn't state what they are trying to upsell. Anyone got any idea what that might be?
If you already have a Firefox account, the barrier to using Firefox Sync is lower, and with that, the barrier to using Firefox for Android/iOS is lower.
Secondary - In support of Revenue KPI
We believe that a privacy respecting service accessible beyond the reach of Firefox will provide a valuable platform to research, communicate with, and market to conscious choosers we have traditionally found hard to reach.
We will know this to be true when we can conduct six research tasks (surveys, A/B tests, fake doors, etc) in support of premium services KPIs in the first six months after launch.
Of course Mozilla's not in it for the money, so there's not a direct line from Send to more revenue. Firefox is their main tool to protect the open web, and Send is a way to get more people to use that. And of course, being able to send files encrypted is good for the web as well.
Indirectly, it is primarily financed by the search engine deal in Firefox.
The metrics section is interesting https://github.com/mozilla/send/blob/master/docs/metrics.md
It sounds like they're investigating a premium service offering targeted at privacy conscious users. (The secondary hypothesis covers "revenue" and will be tested by conducting "research tasks ... in support of premium services KPIs.")
I wish they added a QR code option as well. It would be perfect for quickly copying the link by snapping it with my phone so I can download later.
I also think the blog post could explain more why and how the e2e encryption works. Maybe just by showing an example link and then highlight with colors "this part is private"?
Anyone who obtains the link (e.g. via email interception) gains access to the file.
True, but, if a third party decides to use the intercepted link to download the file, and you have it set to a limit of 1 download, the file will self-destruct (if you trust Mozilla). This way, the recipient can know that someone has tampered with the communication, which is certainly an improvement over the status quo (email attachments).
It only takes screenshots within the confines of a Firefox window.
How do they handle abuse though? Like, people using it to host, say, pirated TV shows? Maybe a max download limit that makes it impractical for that use case?
The torrent protocol is already there. Don't put that cost on the Mozilla Org.
One can always split files.
 The protocol is named Google Cast, but all the consumer branding is Chromecast.
Currently, my scanner conveniently sends me emails with scanned documents. But I have not insight into how they actually store and delete the document on the backend.
Would be great if the scanner had the option to upload to Firefox Send and show me a QR code to download it on other devices.
Hinges on the browsers never sending that key, though.
If you want, you can also set a passphrase on the file to share via another channel
"(...) the fragment identifier is not used in the scheme-specific processing of a URI; instead, the fragment identifier is separated from the rest of the URI prior to a dereference, and thus the identifying information within the fragment itself is dereferenced solely by the user agent, regardless of the URI scheme."
Ed: as for an untrusted network, tls should be able to secure that. Except if the network owner can insist on/enforce a tls stripping mitm/proxy.
If that's the case, I think setting a passphrase should be mandatory. Proxy servers are extremely common at every workplace. Since they probably log all requests, they will capture all keys in the URL.
For certain reasons I get a ton of dropbox space, but for my friends, data quotas kick in on even simple files shared like this.
I believe this is a primary upgrade mechanism for DB--I'd say this new firefox offer is in competish.
Using their revenue from search, like everything else they pay for.
> What's the upside for Mozilla?
"Our mission is to ensure the Internet is a global public resource, open and accessible to all. An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent."
It works on chrome, and does not work on IE 11 (win 7 doesn't support edge)