Best of luck to the author! My understanding is that anything that makes large file sharing easy and anonymous rapidly gets flooded with CSAM and ends up shuttering themselves for the good of all. Would love to see a non-invasive yet effective way to prevent such an incursion.
For Firefox Send, it was actually malware and spearfishing attacks that were spread.
The combination of limited file availability (reducing the ability to report bad actors), as well as Firefox urls being inherently trusted within orgs (bypassing a lot of basic email/file filtering/scanning), was the reason it became so popular for criminals to use. Like we've seen in the spearfishing attacks in India[1].
For a case when file sharing is intended between individuals or small groups there's an easy solution:
Anyone who got the link should be able to delete the file.
This should deter one from using the file sharing tool as free hosting for possibly bad content. One can also build a bot that deletes every file found on public internet.
Because some people would tell them. For example, the FBI would look at a child porn sharing forum and observe a lot of people sharing Send links. Then they would go to the operators of Send servers, and "strongly suggest" that it should shut down.
I wonder how that'll play out in this case, since everything uploaded here expires at maximum 3 days. Maybe they can "handle" abuse reports by simply auto-responding in 3 days that it is now removed.
Do we know whether this uploading is motivated by actual pedo reasons, by anti-pedo honeypot reasons, by sociopathic trolling reasons, by sabotage reasons (state, or commercial), or something else?
It's discouraging to think that privacy&security solutions for good people might end up being used primarily by bad people, but I don't know whether that's the situation, nor what the actual numbers are.
"The Thunderbird team was very sad when Firefox Send was shut down. Firefox Send made it possible to send large files easily, maybe easier than any other tool on the Internet. So we’re reviving it, but not without some nice improvements. Thunderbird Send will not only allow you to send large files easily, but our version also encrypts them" - https://blog.thunderbird.net/2024/10/thunderbird-annual-repo...
It could incidentally be closed source, then. I stand corrected.
Sometimes devs & teams of devs wait until their code is finished to put it online. I tend not to – most of my unfinished code open source code is online. I understand the pros/cons of each way though.
Is there a version of this, where i can allow emailadresses to upload things/download things/share things with other emailaddresses?
Like firefox send but some version of authentication via email? I am aware that i would need a way to send emails so the emailaddresses get authentication
For local network sharing between my devices I tend to use LocalSend [0] which is absolutely brilliant, pretty much replaced my USB stick for transferring files/folders between devices on the same network.
Slightly off topic: I'm a fan of solutions like https://webwormhole.io/ - which lets you send the file directly from one computer to the other via webrtc instead of uploading to a middleman server... at the expense of not being able to generate a link that you can send to someone else and forget about.
If you don't want to self-host and you don't want to trust someone else's service (I don't know anything about this server) you get Bitwarden Send with the $10/year premium plan.
This is also end-to-end encrypted, and the client and server code is open source/source available.
The reason to use Bitwarden could be that you already trust it with something else, and could have taken time and audit that it is indeed legit, or trust others to complain loudly if they find something wrong with the code. Personally, I’d self-host it (or the open source, lighter on resources Vaultwarden), just as an additional safeguard.
There are other variants with different file size limits
https://github.com/timvisee/send-instances
Maybe performance based or something depending on those hosting these instances?
There doesn't appear to be a technical reason, it appears to just be a default configuration setting that was a holdover from Mozilla's imposed limits when Firefox Send was still around.
Best of luck to the author! My understanding is that anything that makes large file sharing easy and anonymous rapidly gets flooded with CSAM and ends up shuttering themselves for the good of all. Would love to see a non-invasive yet effective way to prevent such an incursion.
For Firefox Send, it was actually malware and spearfishing attacks that were spread.
The combination of limited file availability (reducing the ability to report bad actors), as well as Firefox urls being inherently trusted within orgs (bypassing a lot of basic email/file filtering/scanning), was the reason it became so popular for criminals to use. Like we've seen in the spearfishing attacks in India[1].
[1]: https://www.amnesty.org/en/latest/research/2020/06/india-hum...
For a case when file sharing is intended between individuals or small groups there's an easy solution:
Anyone who got the link should be able to delete the file.
This should deter one from using the file sharing tool as free hosting for possibly bad content. One can also build a bot that deletes every file found on public internet.
That then ruins perfectly valid use cases that someone could maliciously delete the file for.
But it allows sending. That might be an okay tradeoff, depending on what you're aiming for.
Anonymous file hosting isn't something I'd be keen to offer, given the nhmber of people who would happily just abuse it.
I've been using this version for a while, presumably it's just gone under the radar enough. So please don't upvote this too much, haha.
I have been using both Swisstransfer.com and filetransfer.io since Firefox Send shut down.
How have they dealt with this?
If it's truly e2e how would they even know what's being shared on it?
Because some people would tell them. For example, the FBI would look at a child porn sharing forum and observe a lot of people sharing Send links. Then they would go to the operators of Send servers, and "strongly suggest" that it should shut down.
> and "strongly suggest" that it should shut down.
I don't know about that, is there any documented case of that?
I feel like they'd probably just contact them and ask for removal of the file(s) and to forward any logs?
> ends up shuttering themselves for the good of all
mostly because it's difficult to handle all the abuse reports
I wonder how that'll play out in this case, since everything uploaded here expires at maximum 3 days. Maybe they can "handle" abuse reports by simply auto-responding in 3 days that it is now removed.
Do we know whether this uploading is motivated by actual pedo reasons, by anti-pedo honeypot reasons, by sociopathic trolling reasons, by sabotage reasons (state, or commercial), or something else?
It's discouraging to think that privacy&security solutions for good people might end up being used primarily by bad people, but I don't know whether that's the situation, nor what the actual numbers are.
The title heavily implies that Mozilla's is closed-source. It isn't: https://github.com/mozilla/send
Actually since it says forked it implies that Mozilla maintains a closed-source version. No, it was cancelled.
The Thunderbird team is working on a fork!
"The Thunderbird team was very sad when Firefox Send was shut down. Firefox Send made it possible to send large files easily, maybe easier than any other tool on the Internet. So we’re reviving it, but not without some nice improvements. Thunderbird Send will not only allow you to send large files easily, but our version also encrypts them" - https://blog.thunderbird.net/2024/10/thunderbird-annual-repo...
It could incidentally be closed source, then. I stand corrected.
Sometimes devs & teams of devs wait until their code is finished to put it online. I tend not to – most of my unfinished code open source code is online. I understand the pros/cons of each way though.
Firefox Send used E2E encryption. The key was generated on the web client and not shared with the Send server.
https://web.archive.org/web/20200226024845/https://www.wired...
That's weird, I thought the original also decrypted them. (You pass the key in the hash fragment, which your browser doesn't send to the server.)
I recently launched www.64.surf that uses the URL to send files, obviously a much smaller file size, but was fun to build regardless.
Basically, base64 encode the file, inject it in the URL and then allows you to share it with other people.
If the URL contains the file, what is the difference between sending the URL and the actual file contents in practice?
Then you send the file as base64 prefixed with your URL?
Where is the use, except that's cool to build?
Cloudflare issue when loading the URL
Is there a version of this, where i can allow emailadresses to upload things/download things/share things with other emailaddresses?
Like firefox send but some version of authentication via email? I am aware that i would need a way to send emails so the emailaddresses get authentication
For local network sharing between my devices I tend to use LocalSend [0] which is absolutely brilliant, pretty much replaced my USB stick for transferring files/folders between devices on the same network.
[0] https://localsend.org/
A command line version by the same author: https://github.com/timvisee/ffsend
This is cool, sharing files larger than 1GB still remains challenging these days.
How easy is it to self-host? I don't see any Docker instructions.
https://gitlab.com/timvisee/send
P.s. Kind of odd that the site links to Github, but the GH repo is only a mirror of the official Gitlab.
swisstransfer.com, up to 50GB
https://github.com/timvisee/send-docker-compose
As a side note, you can also simulate various network problems in the linux kernel via tc: https://www.baeldung.com/linux/network-failures-simulation
Slightly off topic: I'm a fan of solutions like https://webwormhole.io/ - which lets you send the file directly from one computer to the other via webrtc instead of uploading to a middleman server... at the expense of not being able to generate a link that you can send to someone else and forget about.
I am partial to croc[1] which will send directly on your local network, or encrypted through a relay across the 'net.
1: https://github.com/schollz/croc
For local transfers (mainly between my phone, pc and laptop) I've been using LocalSend, works great.
There is also filebin.net: https://github.com/espebra/filebin2/
And pwndrop: https://github.com/kgretzky/pwndrop
And lots of others.
If you don't want to self-host and you don't want to trust someone else's service (I don't know anything about this server) you get Bitwarden Send with the $10/year premium plan.
I didn't know about Bitwarden Send, thanks! Although I did just check it out and it says the limit is 100 MB, which is typically too little.
EDIT: I'm on mobile, apparently it's 500 MB on desktop.
> and you don't want to trust someone else's service
You still have to trust Bitwarden aka someone else's service?
Its e2e encrypted, and the client and server code is open source/source available.
This is also end-to-end encrypted, and the client and server code is open source/source available.
The reason to use Bitwarden could be that you already trust it with something else, and could have taken time and audit that it is indeed legit, or trust others to complain loudly if they find something wrong with the code. Personally, I’d self-host it (or the open source, lighter on resources Vaultwarden), just as an additional safeguard.
How can you guarantee the build is from the open source code? (i.e. doesn't contain a small patch with hostile behavior)
A minor bug. It’s not possible to copy and paste the link from the UI. Using Firefox on iPhone
I wonder what limits sends to 2.5GB ?
There are other variants with different file size limits https://github.com/timvisee/send-instances Maybe performance based or something depending on those hosting these instances?
There doesn't appear to be a technical reason, it appears to just be a default configuration setting that was a holdover from Mozilla's imposed limits when Firefox Send was still around.
https://old.reddit.com/r/selfhosted/comments/1bwqxit/is_ther...
Exactly what i need to be able to not depend on m0zilla