First Look at Tresorit Send file sharing solution
Tresorit Send is a new file sharing solution by Tresorit that was launched as a beta version recently.
Tresorit is best known for its end-to-end encrypted file synchronization and sharing solution for businesses and individuals.
Tresorit Send is a free file sharing solution that uses end-to-end encryption to prevent unauthorized access to the shared data even from Tresorit itself.
The service supports files with a size of up to 5 Gigabytes. All you have to do is visit the Send page on the Tresorit website and click on the "add your files" link to get started.
The selected files get uploaded to the service eventually but you are asked to enter an email address and can make some (optional) changes on the page before that. The email address gives you control over the uploaded files; it is in theory possible to use an invalid email address to share files but you won't get options to revoke the files early on then.
Tresorit Send limits files to 100 and the maximum size of all files to 5 Gigabytes per share. Shared files can be downloaded up to ten times before links expire automatically. There is no option to reset the download count or extend the share period.
You may check the "protect link with password" option to add password protection to the link, and "send me an email at link openings" to receive information when a recipient opened the link.
A click on "create secure link" encrypts the selected files on the local system and uploads the encrypted files to the cloud.
We apply symmetric keys and the AES-256 encryption algorithm to encrypt data uploaded to the cloud. The secure link includes the key for decryption on the recipient's side. This key is never revealed on our side, meaning only you and the link recipients can decrypt the files.
The process may take a while depending on the size of the files, the performance of the device you are using, and the computer's upload speed.
A link is generated in the end that includes the key to decrypt the files. You can copy it to the clipboard to share it manually with recipients, or use integrated share via email options instead.
Files can be accessed for up to 7 days or 10 times, whichever happens first; they will be deleted from the server when a limitation is met. Options to modify these values are not provided to free users as it is reserved to commercial customers.
The sent email includes a verification link. A click on it verifies the email and opens the management interface. The interface is basic; it lists just two options:
- Turn email notifications for link activity on or off.
- Revoke the link.
Tresorit Send promises that only the file uploader and users who receive the email link have access to the shared files. The company revealed that third-party audit of the service or making it open source is on the roadmap to increase trust in it.
The data is stored on Microsoft Azure servers in Ireland and the Netherlands according to Tresorit; all data associated with a shared file set, including stored content and metadata such as the email address, is deleted 14 days after links expire.
Now You: How do you share large files?
Volafile does most of this already. So how is this different from vola?
Volafile, the service with no data security information anywhere. No information about anything. Yeah, would trust them :)
Why do they wait 14 days after links expire to delete everything?
Maybe it has something to do with data storage on MS Azure service?
MS Azure!? Ok this is trustworthy. (sarcasm)
This is why people still use FTP. Any middleman is a potential risk, including Microsoft and Amazon, who host most of these services in the US.
According to Tresorit, content is hosted in the EU.
However, according to US government they have right to all content stored in any location by a US company.
I doubt that MS is going to say no to secret FISA orders.
The protection and trust comes from encryption. Normal tresorit encrypts on your machine but that does not seem to be the case here which makes the whole encryption thing pointless. Anyone competent will exchange encrypted files (veracrypt containers being best option most likely).
I think Tresorit Send also encrypts your files on your machine, in the browser, that’s why the service is considered to be end-to-end encrypted.
My bad. I missed the part where the file is encrypted on the local system. In that case it shouldn’t matter where it ends up. Still, probably safest to exchange already encrypted files as a lot of security depends on e-mail.
PS: Wish we could register accounts so I can edit my previous bad comment
I share large files via mon-partage.fr but files are limited to 200MB, far from Tresorit’s 5GB; similar options with/without an account (I have an account). Nowadays I admit 200MB is lite but in my case far enough. All depends of one’s needs, as always. I’ll have a look at ‘Tresorit Send’ file sharing solution.
I just discovered when visiting send.tresorit.com, that,
1- Cookie is required (site won’t open without cookie permission),
2- Their cookie installs a tresorit dedicated sub-folder in user’s FF [PROFILE]\storage\default\ folder,
3- Tresorit requires connection to azureedge.net, a Microsoft domain.
Points (2) and (3) make this site uninteresting for me.
2. How would you implement end-to-end encryption without storing anything?
3. they use Azure service for their platform, files are encrypted on your PC and then sent to Azure for storage
And they have a cookie on your pc too, one wonders what it contains.
10. …cookies record certain information that is stored in the memory of their hard drive.
@NoobFromhell, when I mention cookies i’m referring to,
1- A site’s own cookie : mon-partage.fr runs with no cookie permission. But that’s not at all a problem, cookies basically are worthy;
2- Concerning 3rd-party cookies most sites nowadays use them; it’s up to the user to block those 3rd-party cookies;
3- My policy is to block 3rd-party cookies with no exception and to block all cookies with exceptions, an exception will be for session only or ‘Allowed’ (kept from one session to another).
4- My rule is to never authorize a site to lay down data in my FF [PROFILE]\storage\default\ folder. There’s no need for that. If the protocol requires it then I’ll use a dedicated non-browser application (files encrypted locally before being sent) : IMO a browser is not to be given rights which are pertinent to an application built over the browser.
5- The trend has been for several years now a constant research of how to allow sites to keep users’ data on the user’s browser, it is the natural development of the cookie syndrome applied to data which very often not at all required. If I wish to not have to retype my site preferences, log then that’s what a cookie is for. No need for more.
As many I’m concerned with privacy and unfortunately the way the Web is deploying shows an increasing challenge for sites to track and/or participate to users’ tracking. I just say no. If a site won’t run with my requirements then I avoid that site. It’s as simple as that.
@NoobFromhell, I forgot to mention this, regarding file encryption : if I do consider that http encryption is pertinent, valuable whatever the site, even if it doesn’t handle confidential information, I don’t subscribe to the encryption hysteria concerning in this case file sharing. Unless a file contains confidential information and/or is transmitted within a professional environment (govt, agencies, journalism etc.) there is no need to encrypt what most of us share, common files, pics, code, music etc.
Now, should i need to share a file requiring encryption via a simple file sharing service then there is nothing easier then to encrypt the given file by ourselves before sending it : many applications of which top-notch ones do just that, and moreover you know exactly what encryption method is used. End-to-end encryption is fine as long as you know what encryption method is applied : if you want to be secure till the end rather than because it’s a fashion then dig into automated encryption before being confident or, better, do the job yourself before sending the file (over https of course!).
Doing your own crypto is far from safe as it’s very hard to implement correctly. On top of that HTTPS is as safe as an open door as it depends on the infinite amount of CAs in your OS/browser. None of them are safe and all of them are easily compromised by a state actor. Security you get from https is at the most against some script kiddie or passive listening.
There is a reason why chrome actually pins google certs for gmail and co as that is the only way to make https secure in any way or form.
I guess they don’t warrant exactly 2 weeks, they just get some slack for themselves to avoid any lawsuits from users who found out files are not deleted instantly after limits expired (or the link revoked) due to any technicalities.
Just use BitTorrent (encrypt to passworded 7z before sharing) or Resilio Sync (free ed) when files are frequently changing.
There is also FOSS Syncthing, but it’s very cumbersome to set up. And if you have more nodes, it’s more troubles (there’s no peer discovery â€“ you’ll need to manually add on each peer on each node, and if you have many files, restarting is wasteful â€“ each node uploads large blob of metadata to each peer on restart).
Firefox has its own secure file sharing service: https://send.firefox.com/
People just looking for encrypted, secure storage online may be interested to know that Tresorit has a well-hidden free option, limited to 3 GB :
As far as I know, this link is nowhere to be found on the home page. The only free service you’re offered, starting from there, is indeed Tresorit Send, which is not for storing but for sharing.
Clairvaux, ( Or anybody else who knows this) It seems that I have to install a software program before I am able to use this 3GB (https://tresorit.com/pricing/basic) service?
I also can find on the Tresorit website or its possible to upload a 2.99 GB file?
Do you know or do you have an independent report how save this installer really is when this Tresorit domain really is ( and I am mean not only that it seems to have to connect to Microsoft)?
Next, to that do I getting any popup commercials from that its bright to go over on a paid service?
Also, do Tresorit also install with this installer a cookie in the Tresorit dedicated sub-folder in userâ€™s FF [PROFILE]\storage\default\ folder?
Yes, you have to download Tresorit’s client to use it on your PC. All cloud services work this way, as far as I know.
I haven’t used Tresorit myself, but in order to benefit from privacy-oriented services, you need to tune down the paranoia a little bit. You’ll always need to trust a provider — many of them, actually.
Tresorit is recommended by Proton Mail and Tutanota, two other well-known and trustworthy privacy-oriented services. It’s not open source, if that matters to you. It’s Swiss, if it matters to you. They organised a $ 50,000 hacking challenge, and nobody has won it.
Thanks @ Clairvaux,
For thanking the time to answer me.
I thought because I could not find much information about the Tresorit company (And this was the first time I heard about them) I thought that It could be a wise thing to do, to just ask about the company and because of your early comments here on Ghacks.net, I was convinced that you could give a clear worthwhile (clair vaux) :-) ) answer.
Myself up to I am up to now I am using to send large files (who not encrypted), to people who are not tech savvy at all, services like there are:
More a bit outdated info on that sort not encrypted sharing services on https://schollz.github.io/sending-a-file/
But with friends, I use the old but still goody Filezilla mostly for not security related transfers.
But there are many possibilities like for instance O&O filedirect or (even) TeamViewer! :-)
But I am very grateful to Martin ( Van ghacks.net) for his new suggestion because besides encryption this service also offers an even bigger file transfer (from 2.5 GB that I am used to) possibilities, who is also encrypted. So in my book, it is a double profit (A win-win situation).
Tresorit is basically a more expensive Swiss copy of spideroak. At least as long as you stick to PCs. On mobile the difference is gigantic as trosorit still does local encryption/decryption instead of in the cloud (which completely defeats the purpose so not sure why spideroak does it that way).
What I do is have paid tresorit for my PCs and then use the free tier on the phone. You can share folders securely between the two and this way I don’t have to put my proper PSWD on the phone (arguably the least secure platform in the history of mankind).
What is “FF [PROFILE]\storage\default\ folder” ?
DDG search only returns this blog
Is FF Firefox ?
Does that mean cookies can be “stored” elsewhere other than in browser -> Options -> cookies ?
Dumb question from a 73 yr old dinosaur. :|
I use sometimes https://file.pizza
– P2P based on WebRTC (at least TLS is used)
– Open Source
– No file size limit
– Window must stay opened until transfer is finished
– The upload speed may vary (your ISPs upload speed)
If i need to share something more private: Onion Share https://onionshare.org/
I would not trust their encryption. Do it yourself on your side first then share it where you can.
Resilio Sync without using tracker server. No need to put anything on someone else server.
another option is filemail.com (though iâ€™m not sure, and personally donâ€™t care that much about) encryption etc here.