If anyone is interested, after firefox send shutdown, i wrote https://www.relaysecret.com, its footprint is extremely small (1 lambda function that does all signing for s3 upload/download, simple frontend code that does encryption in browser using web crypto api with no 3rd party Js, no 3rd party css, no tracking. Anchor tag is used for additional random key material (so it wont leave ya browser and files will always be encrypted regardless).
You can roll your own too with the terraform code in it. It costs me barely anything (never go over free tier limit) to run it because files never live more than 10 days (there is a catchall lifecycle rule on the bucket) and when users select durations, i also put them in bucket prefix that has lifecycle rule place on objects under them for that duration. Note that we can't rely on lifecycle rule all the time so i also make sure when lambda is called to access the object, it checks the time-stamp, the duration and if it is meant to expire and not yet cleaned up by s3 - lambda function deletes it.
I learnt a ton of cool things about s3 after this neat little project and really dig the API, the lifecycle rule, signing url etc...
Ps: for these type of tool, you should definitely mitm it to see if plaintext file or password ever leave the browser... Relaysecret does leave one item unencrypted and that is the file name. You can change it upon upload but i like to leave it there so people know what they are downloading. I have simple idea of encrypting that with just the anchor key but haven't gotten around to put that in yet.
Thank you for this. I just bookmarked it. When Send shut down I've constantly been searching for a better transfer program that doesn't require any client-side setup besides a link.
I've been using https://sendight.ml/ recently, but occasionally get corrupted files for reasons unbeknownst to me, but beyond that it's the best one I've found so far, no connection to them, just found it on a reddit thread.
Oh wow! I didn't know this reply got so much like, thank you! Sendlight.ml looks awesome and on that note, to make things easy to share between devices, i made a simple "tunnel" mode as well, you can try it here: https://www.relaysecret.com/tunnel
The way it works is super simple: the anchortag is base on the tunnel name (first round of sha256 if my memory serves me well) and the actual "tunnel id" is a few first characters of the second round of sha256. This way by enter the same "tunnel" both devices can share file without the need to share long complicated urls. The files in tunnel only lives up to a day.
Unlike sendlight though, it is not peer2peer webrtc and it is using the same lambda backend to create signed urls for s3 and encryption done in browser like before, just a neat little trick to have a simple way to setup "room" between devices ;)
Aha that is a great question! There are 2 parts of the key, one is the anchor tag key (the part behind # that you see in download url) and your password. The anchor tag key part is ALWAYS generated randomly in the browser so that your file will be encrypted no matter what even if you forget to enter password and hit upload.
Note that the anchor tag part does not leave the browser so it is one of the clever thing firefox send used to share some id/key. You can double check it in the network tab ;) If you are worry about that key being leaked somehow, adding a password ontop is a good measure.
100% this but note that the user entered password is not included in the anchor tag so if you add a password, recipient still needs to enter the password to be able to decrypy and download ;)
If you click on the timestamp of a comment there is an additional option to favourite a comment. These are then visible from your profile until you remove this toggle
it only relies on a third party for a handshake rather than storing files online, so there's no limit to what you can send and it's probably less likely to go away.
Do you know how secure it is compared to Magic Wormhole?
I remember a few years ago reading a comparison between two file sharing apps, and if my memory serves me they were croc and Magic Wormhole. One of them had a litany of security holes but I don't remember which of them. I googled but couldn't find info on this.
I've been trying out Nix lately and did something similar to get a croc binary. My system package manager didn't have croc and also didn't have the Go version required to compile croc, but Nix did have the latest Go.
Ran this:
nix-shell -p go --run "go install github.com/schollz/croc/v9@latest"
and got it compiled. In retrospect, I should have just used the croc package in Nix, but the simplicity of this approach is a vast improvement over the alternative of getting Go myself and cluttering up my system with random build tools for one-off compilations.
The similar (but different) tool I use is Web Wormhole (https://webwormhole.io/#). It does the same thing but through a Web UI and uses WebRTC under the hood. Its great benefit over magic Wormhole is that the target doesn't need to install anything at all. If I'm having a Teams/Zoom/Jitsi call and I want to send a large file I can just send them a link and then drag and drop.
Portal does much of the same but is usually quicker in sending files than both croc and magic wormhole, since files are effectively compressed before sending among other things [note: I'm one of the creators of Portal].
This is a client for connecting to alternate implementations of the original 'Firefox Send' filesharing service; not the current Firefox 'Send' service which just sends tabs between synced Firefox clients (unfortunate as I would find that useful).
> Firefox Send has been discontinued as of September 17th, 2020. You will no longer be able to upload or receive files. We’d like to thank all of you who tried Firefox Send.
> We started Firefox Send as a way for you to share files safely and easily from any browser. Unfortunately, some abusive users were beginning to use Firefox Send to ship malware and conduct phishing attacks. When this problem was reported, we stopped the service. Please see the Mozilla Blog for more details on why this service was discontinued.
That's my understanding as well. ffsend was created as a client to the Mozilla-hosted filesharing service at send.firefox.com (now defunct). The server component was then forked and made self-hostable.
I actually donate a nominal amount via github sponsors just to help support hosting costs since I find the utility useful -- specifically in my case for allowing people using my Binder notebooks to get their data out of the container without having to have a server of their own.
You can roll your own too with the terraform code in it. It costs me barely anything (never go over free tier limit) to run it because files never live more than 10 days (there is a catchall lifecycle rule on the bucket) and when users select durations, i also put them in bucket prefix that has lifecycle rule place on objects under them for that duration. Note that we can't rely on lifecycle rule all the time so i also make sure when lambda is called to access the object, it checks the time-stamp, the duration and if it is meant to expire and not yet cleaned up by s3 - lambda function deletes it.
I learnt a ton of cool things about s3 after this neat little project and really dig the API, the lifecycle rule, signing url etc...
Ps: for these type of tool, you should definitely mitm it to see if plaintext file or password ever leave the browser... Relaysecret does leave one item unencrypted and that is the file name. You can change it upon upload but i like to leave it there so people know what they are downloading. I have simple idea of encrypting that with just the anchor key but haven't gotten around to put that in yet.