Firefox Send gets password protection upgrade - gHacks Tech News

Firefox Send gets password protection upgrade

Users of Mozilla Firefox's Send file sharing service and Firefox experiment may protect files with passwords in the latest iteration of the service.

The organization launched Firefox Send back in July of 2011 as one of three new Test Pilot experiments (the other two were Voice and Fill Notes).

What made Send special was the fact that it could be used without participation in the Test Pilot program. Anyone, Firefox users and users who use other web browsers, could open the Firefox Send website to send files to others.

Send works like any other file sharing service on the Internet. Drop files on the service's website to upload them to the service. It has a an upper limit of 1 Gigabyte per file, but no other restriction that I'm aware of (file types for instance).

Send creates a unique URL that you can copy to the Clipboard after the upload finishes. While the URL is unique, it is publicly accessible which means in theory that it is possible to brute force the service to download files that other users of the service have uploaded.

The new version of Send puts an end to this, at least for users who enable the optional password protection option.

firefox send password protect

The option is displayed after the file is uploaded to Send. You need to check the "Require a password to download this file" box on that page to enable it. Send displays a password field when you do. Type the desired password and select the "add password" button afterwards to apply it.

This password protects the file. Users who open the share link in a browser are prompted for the password when they do. There is no option to download the file anywhere unless the password is entered correctly.

firefox send encrypted password

The download link is displayed once you enter the password and hit the unlock button, provided that it is the correct one to decrypt the file.

All other parameters of Firefox Send remain the same: file download links expire after 24 hours, and uploaders may delete the file at any time.

Closing Words

Password protection improves the security of files uploaded to Firefox Send. While adding passwords adds another bit of information to the sharing process, as you need to share the download link and the password, it protects files from being stumbled upon by accident (as unlikely as this is).

Summary
Firefox Send gets password protection upgrade
Article Name
Firefox Send gets password protection upgrade
Description
Users of Mozilla Firefox's Send file sharing service and Firefox experiment may protect files with passwords in the latest iteration of the service.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. test said on November 15, 2017 at 2:41 pm
      Reply

      test

    2. M3 said on November 15, 2017 at 5:15 pm
      Reply

      Sounds pathetic as every Mozilla idea so far.
      – upload to the cloud, (Where to? Is google involved? Sure.)
      – they can brute force it like your firefox password database (Well encrypted (!) … again)

      I would recommend FilePizza to do such things with AEScrypt or GPG encryption.
      https://file.pizza/

      1. TelV said on November 16, 2017 at 12:53 pm
        Reply

        I hadn’t heard of file.pizza until you posted the link to it, but it appears that WebRTC is necessary in order to use it unfortunately. Here’s the error I got on the landing page: “400: No WebRTC Support. Please use Chrome or Firefox.”

        WebRTC is disabled on my system (using Firefox ESR) since it causes IP leaks.

      2. George said on November 17, 2017 at 4:15 pm
        Reply

        Can you please clarify a bit further the “firefox password brute force” part? Thanks.

    3. slumbergod said on November 15, 2017 at 7:05 pm
      Reply

      The link also expires even if the recipient fails to download the file correctly. It *should* expire after a successful download but, no, the stupid Mozilla engineers screwed up yet again.

      1. Ryan said on November 20, 2017 at 8:14 pm
        Reply

        I think 24hr expiration regardless of download is the result of a thoughtful decision. Basically Mozilla can’t offer endless storage, which would be required if files had to be guaranteed to remain up indefinitely. Without this limit, there would be: 1) an ever growing amount of abandoned data that Mozilla is on the hook for storing just in case it gets downloaded some day, 2) No way for Mozilla to make quick changes if needed or even stop offering the service without breaking promises.

        Just consider this password addition. Because of the limit, we can be certain that within 24hrs of change, 100% of files in storage will have had the option to be password-protected.

        It’s too easy to call people stupid if you don’t understand them or if they don’t do things as you would.

    4. nik said on November 16, 2017 at 3:26 am
      Reply

      Off topic – CCleaner has started adding Avast setup in installation wizard.

      https://imgur.com/a/47RG2

    5. Ryan said on November 20, 2017 at 8:20 pm
      Reply

      Martin,

      I think you may have missed the biggest impetus for the addition of a password. You write about how unlikely it is that an unprotected url would be stumbled upon, and how the url could be bruteforced. That’s true, but neither is the real danger.

      Automated web crawling is the real threat in my opinion. Because most people likely share these urls (including the hash that stores the private key) in insecure channels (email, chat, sms), the urls will be visited by crawlers looking to index new pages, or assess links for malware. It defeats the purpose of having a private means of exchanging files.

      With the change, a focused attacker will still get the file if the link and password are shared together insecurely, but automated indexing bots are much less likely to get the original file. An additional benefit is that people intuitively understand that a password should be kept secret; it’s a lot more difficult to explain that the hash part of a url should be kept secret when all our web experience has ingrained in us that a url is public

    6. Mr jacob said on December 1, 2017 at 10:21 am
      Reply

      Usually I need to send way more. That is why I prefer MyAirBridge.com. This online service offers me up to 20 GB for free and without any registration. It also has the highest possible encryption during the transfer and the shared files could be also protected by the password.

    Leave a Reply