Firefox Send: Free encrypted file transfer service

Datenstrom7y ago

I just had the same issue with rust linking to a 1553 bus library in /usr/local/lib yesterday. Seems like this should be on the search path.

[0] https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

ycnews7y ago

Python cli version at https://github.com/ehuggett/send-cli

disclaimer: I haven't used either cli version.

timvisee7y ago

Cool. Sadly, I don't think the client supports the current Firefox Send version though. Method of encryption has been changed during the last few months.

nickpsecurity7y ago

Love the demonstration on the Github page!

tintintin7y ago

This is great, thanks :)

Mind if I port this to JS?

Sephr7y ago

You don't have to ask for permission to fork open source projects.

You are free to port the project to JS as long as you follow the applicable licenses: https://github.com/timvisee/ffsend/blob/master/LICENSE

harshitaneja7y ago

Thanks a lot. The first thought after seeing this was that I wish it had a CLI and I know I am lazy enough to never write one.

ausjke7y ago

do I need install firefox to use this tool? looks neat!

timvisee7y ago

No, see the requirements here: https://github.com/timvisee/ffsend#requirements

Along with ffsend, you can use any browser to upload/download files through https://send.firefox.com/ as well.

nicebill87y ago

Nope, you don't need Firefox to use the site anyway.

tomupom7y ago

This is such a fantastic tool to have, thank you so much!

kevinherron7y ago

This is neat, thanks.

skrebbel7y ago

In the not so recent past, HN'ers loved to quote tptacek's legendary rant about how in-browser JavaScript crypto is fundamentally broken[0].

What changed? Is that rant finally outdated? Couldn't Mozilla at any time serve a corrupted JS bundle (with or without their knowledge) which would leak the key somewhere, silently replace the encryption by a noop, etc?

I ask out of interest, not skepticism. I much prefer an internet where we can trust web apps to do proper crypto than one where we have to depend on some app store to somewhat adequately protect us.

Rebelgecko7y ago

Some of those points are relevant and some aren't. For logging in to a website, "just use SSL/TLS instead" makes sense, but not for this use case. There's better options nowadays for doing crypto in the browser, but I wouldn't be surprised if they were at least theoretically vulnerable to side channel attacks from JS running in another tab.

The main thing is that unless you're paying really really close attention to the JS that you're executing, you can't trust this any more than you can trust Mozilla and the security of whatever computer is serving their pages. I wouldn't use this for sending data that you're trying to hide from a nation-state, but it looks like a great option if you want to send a video to your grandma without posting it publicly on the internet or teaching her how to use GPG.

danShumway7y ago

Followup question:

I have Signal running on my Linux computer and on my Android phone. On the Linux computer it doesn't have root access, but it does have access to its own files, so in theory there's nothing to prevent it from making a network request and updating itself. Additionally, I don't ever check Signal before installing a new update, I just blindly do it.

On my Android device, I also have auto-update turned on, because my only option is to turn it on for every app or none of them. So there's nothing to prevent Signal from updating itself and changing the crypto. If I were on an iOS device, I wouldn't even have that option -- to the best of my knowledge you can not turn off app auto-updates on an iPhone, but maybe someone can correct me if I'm wrong. In any case, it doesn't matter that Signal is updated "rarely". An attacker only needs to install one back door, they don't need to update it a hundred times.

So for an extremely typical user like me, who has been taught for as long as I can remember that the most secure thing you can do on an OS is install updates as they come in when they come in, doesn't Signal have the exact same problems as Mozilla? If someone compromises Signal's servers, can't they add a side-channel just as easily?

In theory, I could disable auto-updates and only update Signal when I looked at the source code, just like in theory I could examine the JS that I'm executing every time I connect to a site. But in practice, I don't.

When I read tptacek's rant nowadays, the immediate thing I can think is, "The web is malleable? Literally every single computing environment and device I own is malleable." It feels like if I were to take tptacek's advice to its logical conclusion, I would just conclude that ETE encryption in general is dead.

ghthor7y ago

This is really the point here. But the danger is always that someone who needs strong nation state secure crypto is used to this and doesnt realize the implications of using this when trying to keep state level secrets.

tptacek7y ago

It's not outdated; it remains fundamentally true. But I'm uncomfortable with people calling it a "legendary rant" because it was dashed off and I never promoted it as any kind of last word on the subject. There are better arguments against browser cryptography than mine.

In particular: you'd hope that WebCrypto would have changed things a bit, but, of course, it doesn't: it leaves all the cryptographic joinery up to content-controlled code. You're probably somewhat less likely to have side-channel flaws if you use it, but in reality timing side-channels are more talked about than seen. Who would bother, when they can just deliver a script that exfiltrates secrets directly?

fouadmatin7y ago

SubtleCrypto is a new browser-adopted spec for performing crypto operations natively. For example, instead of using Math.random() for random number generation, you can use https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getR... in combination with the SubtleCrypto functions to work with keys securely

Your points around a compromised JS bundle are still possible but that has more to do with a company’s deployment/change management setup than JS itself imo

skrebbel7y ago

> Your points around a compromised JS bundle are still possible but that has more to do with a company’s deployment/change management setup than JS itself imo

But that's the only point I intend to address here. If Pascal had been the language of the web then my question would have been about Pascal.

Therefore I don't see how SubtleCrypto changes matters much.

In short, if I get it right, the argument would be that in eg a mobile app, all the e2e logic (the core crypto plus the code around it) go through peer-review, then some release management process, then some review by Apple or Google, before it lands in my hands via their app stores' well secured delivery mechanism. In a web app, a single compromised server will compromise all security instantly. Generally I'm fine with trusting Mozilla's servers, but if I have to trust their servers then what's the point of end to end encryption?

thinkloop7y ago

Didn't realize it had full support by every browser, even ie: https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getR...

thinkloop7y ago

That article primarily comes down to this:

> WHY CAN'T I USE TLS/SSL TO DELIVER THE JAVASCRIPT CRYPTO CODE? You can. It's harder than it sounds, but you can safely transmit Javascript crypto to a browser using SSL. The problem is, having established a secure channel with SSL, you no longer need Javascript cryptography; you have "real" cryptography.

In our case we aren't doing crypto inception where the cryptography is meant to secure itself. The crypto is being served securely (by ssl) and then used to solve the separate unrelated crypto problem of encrypting random files.

aij7y ago

That question seems closely tied to

> WHAT'S THE "CHICKEN-EGG PROBLEM" WITH DELIVERING JAVASCRIPT CRYPTOGRAPHY? If you don't trust the network to deliver a password, or, worse, don't trust the server not to keep user secrets, you can't trust them to deliver security code.

I haven't looked at the details of how Firefox Send works, but if you can download and decrypt the file with nothing more than an https:// URL, it seems like you'd have to trust the server, either to handle the cleartext or to provide trustworthy code to handle the cleartext.

I suppose an alternative would be to generate a data: URL, but if it has to include all the crypto code, I wouldn't expect it to be nice and compact.

the84727y ago

Fundamentally the situation has not changed much. You redownload the code every time and servers could deliver tailored compromised versions if ordered so by some TLA. Which means audits have limited values since they can't attest that what they have seen is actually what anyone gets.

Compare with native tools which you only download once, can check its signatures and which strive for reproducible builds so that multiple parties can verify them independently.

mehrdadn7y ago

There was also a time just a few years ago when evangelists claimed JS/CS/etc. were just as fast as native (some said faster) and blasted you for suggesting otherwise, even when it was clear as daylight this was blatantly false. This mantra also suddenly just faded away once native compilers for these gained popularity. I guess reality hits you after some time.

Now I see a similar issue with security experts preaching that merely possessing a single piece of software with a single thing they classify as a 'vulnerability' implies you will be murdered within the next 24 hours, and it seems they'll happily DoS your computer, get you fired from your job, take your second newborn, and blow up your computer in your face if that's what it will take to make you finally feel real danger. Not sure why it takes people so long to see that reality isn't black-and-white, but better late (hopefully) than never.

cyphunk7y ago

There are many use cases where compromise through code-interdiction after warrant is a perfectly acceptable risk. Also considering what it replaces may further increase the weight of privacy gain. Absolutism is definitely not the way to go, and looking at the state of the tech community (eg. npm, apt, pip, pacman, check that sha256 sum) we left the design-it-right-first a long time ago. A valid argument, though I wouldn't defend it to the death, is that we need to work slowly back toward more secure behaviors rather than chasing absolutely secure technologies. I think send.firefox is a step back from dropbox for some.

quickthrower27y ago

SSL isn't the only crypto you'd ever want to do though. What if you want encrypt data so that it is encrypted all the way through the layers of the application to the database? That's a valid use case to use in tandem with SSL. Also I have to mention cryptocurrencies.

qrbLPHiKpiux7y ago

As long as there is a possibility, I say yes - not "if" but "when."

Humans are always the weakest link with the internet and someday, sometime, bad code (unknowingly) will be pushed and something will happen to someone.

serkanyersen7y ago

Couldn't they do the same If crypto code was on server?

lubesGordi7y ago

Seems like Send would have to be a built in browser functionality or maybe a plugin.

fastball7y ago

Not relevant to me as all of my sites are entirely secured with SSL.

jasonjayr7y ago

Is the source available for this? A self-hosted version of this would be nice...

(Update: Yep, just found it: https://github.com/mozilla/send, just before the comment below was posted :))

jgruen7y ago

boop: https://github.com/mozilla/send

xtracto7y ago

Reminded me of zerobin / privatebin. We used this internally at a previous company to share passwords and sensitive files.

Data is encrypted at client and a url with a key is generated.

Can be used 'burn after reading or with some specific lifetime.

lbeltrame7y ago

As far as I can see, this requires S3 or a S3 compatible service. Kind of defeats the purpose of self hosting unless you can set one yourself (it may be, I didn't look).

EDIT: Apparently there's a way to use filesystem instead of S3, it's just not well documented.

https://github.com/mozilla/send/blob/master/docs/docker.md

nickik7y ago

Anybody have a nice docker version to run this at home?

djsumdog7y ago

It looks like Mozilla publishes a container and has instructions:

AdmiralAsshat7y ago

I've used Firefox Send for several months while it was still a test pilot program. It's been very useful for quickly sending files to family. The fact that the link expires as soon as the other party downloads it means I don't have to worry about clean up.

kijin7y ago

Do you ever run into a problem when an overzealous email service or virus scanner pre-fetches the link and invalidates it before an actual person clicks on it? This used to happen with all sorts of links in emails, though I haven't heard about it in a while.

AdmiralAsshat7y ago

To my knowledge, the link is only invalidated if the person actually downloads the file. Simply viewing the link does not invalidate it. I can recall a couple of times emailing a Send link to my brother, then checking it in the morning to see if he had grabbed him or not. It was still viewable, so I deduced that he hadn't grabbed it yet, sent him a follow-up e-mail ("Hey you lazy bastard, grab the damn file before it automatically expires!"), and checked again a few hours later to find it gone.

toomuchtodo7y ago

Does the link expire after a successful transfer? Curious what happens if the transfer fails mid transfer and needs a retry.

AdmiralAsshat7y ago

No one I've tried it with has ever had it fail on them.

But to answer your question, I uploaded a 100mb+ file to FireFox Send, copied the link, RDPd into another computer, kicked off the download, and then cancelled it midway through download. The link did expire after that.

So I guess they don't have an easy way of telling whether the download is successful or not. Maybe Mozilla's engineers can figure something out if the issue is raised.

SubiculumCode7y ago

If you are worried about it you can specify the number of downloads before expiration

old-gregg7y ago

If relevant Mozilla people are here: Send does not work if "Delete cookies and site data when Firefox closes" checkbox in FF preferences is checked. Even the page doesn't load [1]. It surely is a bug, because I am not closing Firefox.

That checkbox is #1 reason I only use Firefox.

[1] Developer console log output: "Failed to register/update a ServiceWorker for scope ‘https://send.firefox.com/’: Storage access is restricted in this context due to user settings or private browsing mode. main.js:38:10 SecurityError: The operation is insecure."

RJIb8RBYxzAMX9u7y ago

You should be able to whitelist https://send.firefox.com/ with the "Manage Permissions..." button right next to that option.

I block _all_ cookies except for a small list of sites (like HN...).

_rlx_7y ago

This is a current Firefox restriction: https://bugzilla.mozilla.org/show_bug.cgi?id=1413615

lmedinas7y ago

a bit off topic but here it goes...

This is how i think Mozilla can capture more users back to Firefox. By providing "extra" services attached to the Mozilla and Firefox brand will make them a superior product to the end user. Sure it's hard to compete with Chrome but if you offer useful features and services integrated in your Browser i see that Mozilla actually has a chance to compete with Google for the browser space.

This is one of the "advantages", if you are a heavy Google user, of Chrome over the competition is that everything is attached to your Google account. Passwords, history, spellers, dictionaries, shortcuts, etc...

If Mozilla comes with Send, Notes, Password Manager all integrated in Firefox i see a good way to bring back some of the previous users that switched to Chrome.

scriptkiddy7y ago

Along the same lines, a Gmail-esque Thunderbird web service would be amazing. I could finally de-google myself completely if that were the case.

Currently, I need to set up my own email hosting through a service like fastmail and then configure a desktop client(like Thuderbird) to use it.

A Mozilla Gmail-esque service would remove a lot of the friction there and probably bring in a bunch of users who are tired of google running everything.

gnud7y ago

Fastmail has a nice (and snappy) web interface. So you don't _need_ to set up a desktop client, unless you want to.

asdgiobiobiuo7y ago

You may be right, but I hate it. There is no reason I can think of to have all these tools integrated into a web browser, and the idea of having the Internet broken into silos based on your choice of browsers scares me.

We don't need another AOL Chrome.

swebs7y ago

Literally all they need to do is advertise tree style tabs. It's the reason half my office stopped using Chrome.

tantalor7y ago

> By providing "extra" services attached to the Mozilla and Firefox brand

How is that different from the complaints people make about Chrome tightly integrating with Google?

hotgeart7y ago

> If Mozilla comes with Send, Notes, Password Manager all integrated in Firefox i see a good way to bring back some of the previous users that switched to Chrome

As a Chrome user I can confirm. But for me the main raison I use Chrome is for the dev tools a found them better than FF

TheArcane7y ago

For me, it's the seamless translation suite

bjt2n39047y ago

I don't understand the end-to-end encryption claim.

1. Bob uploads a file, but specifies no password.

2. ???

3. Sue downloads the file.

Best case, Bob's browser encrypts it (with javascript?) before uploading. Either Mozilla provides a key, or Bob sends the key he used. When Sue's browser downloads it, Mozilla sends the key and her browser decrypts it client side.

In either case, Mozilla has the password for decryption. This makes a mild barrier to mass scanning content that's uploaded, so at least that's something... but that's little more than a promise I have to trust.

Am I missing something? Where is the "end-to-end" encryption? End-to-end means I don't have to trust you (as much). Please don't turn this into a meaningless buzzword...

EDIT: I did misunderstand something. Please see timvisee's comment below.

timvisee7y ago

The client encrypts the file that is uploaded, along with some metadata. The key is appended to the share URL provided by the URL, in the fragment/hash, and is never sent to the remote server. Only people having the URL including the secret will be able to download and decrypt your shared file. See https://github.com/mozilla/send/blob/master/docs/encryption....

bjt2n39047y ago

Thanks for the info. Let me see if I understand this correctly.

Browsers don't send the anchor tag (ie: with GET requests). FF Send takes advantage of this by using the anchor tag to store the key for decryption.

That is kinda novel. You still need to trust the upload client to not leak the key, but I see that you've written a CLI version. Interesting! Thanks for the response.

4 more replies

philsnow7y ago

Anybody who can catch the link in transit can get the file. Emailing these links with the decryption key right in the fragment is going to allow any party in between the sender and the receiver to fetch the file. (If the file is set to only allow downloading once, the receiver can at least let the sender know that it got intercepted.)

So you have to send the link through some previously-negotiated secure channel. At that point, why not just send the file through that channel? Is it because signal/whatsapp/etc don't allow large files or because the interface is cumbersome?

air77y ago

That's cool, but it's still the same party providing both the storage mechanism, and the JS that encrypts the content on the client-side. You have to trust them that they are not "peeking" at the keys you are generating using their code in your browser.

jszymborski7y ago

I use a similar mechanism on my website https://expiring.link

I'm working on documenting the code now before I release on GitHub, but it works on the same premise :)

WebCrypto is mana from the gods...

srecio7y ago

Won't most people just share the links over email? With the decryption key in the url I don't see very good security guarantees here

mimsee7y ago

Generated by random and applied to the URL hash data that is not sent to the server. Hash data is data in an URL after the hashtag

lol7687y ago

It seems vulnerable to an active MitM - if the attacker is in a position to serve malicious JS that exfiltrates the data from window.location.hash.

I think the scheme is fairly robust against passive interception though.

woah7y ago

Client side encryption keeps honest companies honest but no more than that

hprotagonist7y ago

It doesn't exactly meet the needs of "sending files to a non-technical person", but Magic Wormhole [0] has been truly great for flipping files around between me and anyone who is capable of being trusted to run `pip install --user pipe && pipe install magic-wormhole`. This is by no means everyone, but it's been very useful quite often.

[0] https://magic-wormhole.readthedocs.io/en/latest/ has

asutekku7y ago

I have no clue why you would suggest a tool that requires using a linux command line after telling firefox send doesn’t meet the needs of non-techical person.

detaro7y ago

"It" in the first sentence does refer to the solution they mention, not Firefox Send.

jacobush7y ago

No, he's saying Magic Wormhole doesn't exactly need the needs of a non-technical person.

hprotagonist7y ago

magic-wormhole works fine on windows and mac; nothing about sh-like shells is linux-specific.

dTal7y ago

>pip install --user pipe && pipe install magic-wormhole

What am I looking at here? On PyPI 'pipe' is listed as a "Module enablig a sh like infix syntax (using pipes)", and magic-wormhole's own docs just say to install with pip like anything else.

hprotagonist7y ago

I typoed. I meant `pipx`, not `pipe`. My phone tried to help.

`pipx` is a convenience utility for installing cli python tools in separate virtual environments and then being able to update them nicely: https://github.com/pipxproject/pipx

So i meant

`pip install --user pipx && pipx install magic-wormhole`

cherrypepsi7y ago

I remember elementaryOS had a GUI for this in its app store. Never got around to try it, Linux is not well known in the consumer world, let alone Elementary

huhtenberg7y ago

Very clean and nice, but how is this financed?

That is, who's paying for the server storage and the bandwidth?

sirsuki7y ago

First off, Mozilla believes in the service. Mozilla itself gets funding from donations and corporate backing (I think). The cost of bandwidth is small compared to other file share sites in that the files stored are temporary. The transient nature of the files means that the max storage space needed is relative to the concurrent number of users. Bandwidth also. That means sans a very clever DDoS their expenses should be manageable compared to say Google Drive, Dropbox, or MS One Drive.

I remember sending a signed PDF via Firefox Send and was at first horrified when I realized I couldn't get the file back after 24 hours but then relieved knowing that the recipient got it and then it disappeared from the internet. Very cool!

akelly7y ago

I believe that most of Mozilla's revenue comes from Google profit-sharing, because they make it the default search engine.

kgwxd7y ago

If they can't keep up, at least we'll always have the code: https://github.com/mozilla/send

patrickxb7y ago

I don't understand how they can afford the bandwidth...

If this were on AWS it would be around $0.09 per GB for downloads.

toomuchtodo7y ago

Which is why you don’t host it on AWS. Wrong tool for the job.

casefields7y ago

Read here for the why: https://github.com/mozilla/send/blob/master/docs/metrics.md

https://github.com/mozilla/send/blob/master/docs/metrics.md

mzs7y ago

We'll find out by the end of the year »

Secondary - In support of Revenue KPI

We believe that a privacy respecting service accessible beyond the reach of Firefox will provide a valuable platform to research, communicate with, and market to conscious choosers we have traditionally found hard to reach.

We will know this to be true when we can conduct six research tasks (surveys, A/B tests, fake doors, etc) in support of premium services KPIs in the first six months after launch.

Vinnl7y ago

Presumably Mozilla, just like they do for the sync and Web Push servers.

olig157y ago

I think what the previous poster meant was 'why' are Mozilla paying for it?

kpcyrd7y ago

mozilla

benawad7y ago

> Key Business Question to Answer: Is the value proposition of a large encrypted file transfer service enough to drive Firefox Account relationships for non-Firefox users.

The metrics section is interesting https://github.com/mozilla/send/blob/master/docs/metrics.md

medmunds7y ago

Oh interesting. Their two hypotheses (which they will test) are that Send "can drive Firefox Accounts beyond the Firefox Browser" and that it will "will provide a valuable platform to research, communicate with, and market to conscious choosers..."

It sounds like they're investigating a premium service offering targeted at privacy conscious users. (The secondary hypothesis covers "revenue" and will be tested by conducting "research tasks ... in support of premium services KPIs.")

Secretmapper7y ago

This is perfect! I'm currently taking a networking class where we generate trace reports, and I've just realised how tricky it is to send files without logging in (I'm just averse into doing that in a machine that's not mine). I can email my trace files, but I need to login, I can store in dropbox/drive, but again I'll have to login.

I wish they added a QR code option as well. It would be perfect for quickly copying the link by snapping it with my phone so I can download later.

Ultramanoid7y ago

It's a fantastic service and I'm glad to see it leave the experiment stage and become official. Highly recommended.

romantomjak7y ago

I really don't understand why they didn't share a link to the repository in the article. For anyone who's interested - here it is: https://github.com/mozilla/send

Cyphase7y ago

It's because this blog is for mainstream audiences who don't know what GitHub is and might be scared of all that code-y stuff if they accidentally clicked on it.

thekyle7y ago

I'm not so sure about that. I have a difficult time believing that anyone in the "mainstream audience" would take the time to read Mozilla's blog posts, or more generally the blog posts of any tech company.

m4lvin7y ago

The same idea (e2e decryption key in fragment/hash) is used by the self-hosted Lufi. Public instances are running at https://upload.disroot.org/ and https://framadrop.org/ and the code is here: https://framagit.org/fiat-tux/hat-softwares/lufi Maybe someone can comment on how Lufi compares to Firefox Send (performance, usability?)

I also think the blog post could explain more why and how the e2e encryption works. Maybe just by showing an example link and then highlight with colors "this part is private"?

nvdk7y ago

I've been using send.firefox.com for months and so far the only downside was the 1 day expiration. Very glad you can now opt for 7 days.

Rafuino7y ago

This is awesome for sending private documents to family (tax season, anyone?), especially when your family isn't inclined to learn cryptography to set up their own solution. Will be trying this ASAP.

http://send.firefox.com/download/<fileid>/#<secret>

Sammi7y ago

Open source peer-to-peer solution in the browser using WebRTC: https://file.pizza/

krferriter7y ago

Wow that's really neat. Downside is it only works while the page stays open on the uploader's machine, while send.firefox.org uploads the file for a limited time to a central server so you can close the tab before the recipient downloads it.

rkagerer7y ago

If I've got this right, the file is encrypted using a secret key which is generated on the client and appended to the anchor in the link, like:

Anyone who obtains the link (e.g. via email interception) gains access to the file.

Since browsers don't transmit the anchor when requesting a resource [1], Firefox servers never see a copy of the key. Provided you trust their JavaScript.

[1] https://stackoverflow.com/questions/3067491/is-the-anchor-pa...

somebodythere7y ago

> Anyone who obtains the link (e.g. via email interception) gains access to the file.

True, but, if a third party decides to use the intercepted link to download the file, and you have it set to a limit of 1 download, the file will self-destruct (if you trust Mozilla). This way, the recipient can know that someone has tampered with the communication, which is certainly an improvement over the status quo (email attachments).

TulliusCicero7y ago

Neat!

How do they handle abuse though? Like, people using it to host, say, pirated TV shows? Maybe a max download limit that makes it impractical for that use case?

Moter87y ago

The files are available up until they have been downloaded (from 1 to 100 times) or until a certain timeframe has elapsed (from 5 minutes to 7 days). See the screenshot at the article.

warkdarrior7y ago

We are working on a plugin for BitTorrent that will automatically re-upload a file to Firefox Send when the old link expires and then make the new link available in the torrent.

mont7y ago

2.5GB file limit is a bit small for good quality TV shows (and especially movies).

jhasse7y ago

With HEVC 2.5GB is perfectly fine for a 2 hour movie.

gsich7y ago

Depends on the runtime. For low quality Netflix dumps (from Netflix, not because it got reencoded) it's usually enough, even for 1080p.

One can always split files.

LinuxBender7y ago

winrar and 7-zip can break up files into chunks of any size you specify.

giarc7y ago

Even single episodes?

cmurf7y ago

Another neat feature actually built into Firefox is Take a Screenshot. To the right of the URL field, in the three dots menu. Option to save it locally, or save in the cloud with a URL with some expiration options. Sorta like a pastebin for screenshots.

It only takes screenshots within the confines of a Firefox window.

fzzzy7y ago

Glad you like it (I worked on it). Just a side note, the cloud service will be going away in the future, but the ability to save it locally will remain.

robinhood7y ago

This service is really great and I'm sad to read it will go away - but of course, it makes no sense from a money perspective to keep it free forever. But the initial idea - saving screenshots made by the browser to the cloud is fantastic, and much more convenient than the myriads of SAAS that provide this kind of service.

detaro7y ago

Replacing the cloud bits with Firefox Send integration seems a fairly obvious idea then?

emddudley7y ago

I've used this before to send sensitive documents to my attorney, who would have otherwise just wanted email attachments. It worked great.

BrandonM7y ago

Based on what I've read, the security model seems to be almost the same as email attachments?

tvmalsv7y ago

One really big advantage of Send over attachments is that you don't have seemingly immortal copies of the files hanging around in people's mail clients and/or IMAP servers.

kgwxd7y ago

Why not "Mozilla Send"? If Firefox the browser isn't a requirement, the name is confusing.

Cyphase7y ago

The same reason it's Chromecast, not Googlecast.[1] Branding.

[1] The protocol is named Google Cast, but all the consumer branding is Chromecast.

kgwxd7y ago

I was thinking the same thing but in Google's case, Chrome is the dominate browser and most people recognize it as something they already have. In the case of Firefox, it's more likely they'll recognize the name specifically as the browser they don't have and will think they can't use it.

mrhappyunhappy7y ago

I was confused too. When it worked on non Firefox browser it was a pleasant surprise. I'm guessing this is just to promote Firefox browser. Wouldn't surprise me if they added higher file limit after usage grows and with it a paid tier :)

sumitgt7y ago

It would be really amazing to build some sort of integration in commonly available WiFi connected scanners and printers.

Currently, my scanner conveniently sends me emails with scanned documents. But I have not insight into how they actually store and delete the document on the backend.

Would be great if the scanner had the option to upload to Firefox Send and show me a QR code to download it on other devices.

seveneightn9ne7y ago

How is this using end-to-end encryption? It seems like the recipient just clicks a link to download. How can it have been encrypted for that person? end-to-end encryption normally means that there's no way for the intermediary to unencrypt the data but I can't see how that's possible in this case.

0xfeba7y ago

IIRC The link contains an anchor `#abc123` which is the decryption key. Browsers do not send anchor parts of the URL to the server, and so the browser decrypts.

Hinges on the browsers never sending that key, though.

weaksauce7y ago

Client side JavaScript that encrypts locally befor uploading and puts the encryption key in the url you share with someone that never gets sent to Mozilla. Also client side decryption on the person you shared the link with. It’s end to end.

pault7y ago

With the caveat about client side browser encryption in general, which I'm sure someone will pop in here and explain in detail. :)

EwanToo7y ago

The url effectively contains the decryption key, so the web server could be set to capture the urls and decrypt files.

If you want, you can also set a passphrase on the file to share via another channel

Vinnl7y ago

That's why the key is in the hash part of the URL; the server can't access that (unless it also sends client Javascript that parses it and sends it back to the server, but that could be detected).

SamuelAdams7y ago

> The url effectively contains the decryption key, so the web server could be set to capture the urls and decrypt files.

If that's the case, I think setting a passphrase should be mandatory. Proxy servers are extremely common at every workplace. Since they probably log all requests, they will capture all keys in the URL.

bredren7y ago

Much of the data I share with friends using dropbox is on time-limited data in the 1-2 GB space.

For certain reasons I get a ton of dropbox space, but for my friends, data quotas kick in on even simple files shared like this.

I believe this is a primary upgrade mechanism for DB--I'd say this new firefox offer is in competish.

kikikiki09i7y ago

How do they pay for the storage costs? What's the upside for Mozilla?

chrisseaton7y ago

> How do they pay for the storage costs?

Using their revenue from search, like everything else they pay for.

> What's the upside for Mozilla?

"Our mission is to ensure the Internet is a global public resource, open and accessible to all. An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent."

passthejoe7y ago

Upside is that this is another reason to get a Mozilla account.

sam_lowry_7y ago

Google Search, Yahoo Search.

diegorbaquero7y ago

I had the expectation that it would use WebRTC before opening the link, disappointed on that side. But really glad of the privacy minded offer. I appreciate Mozilla's work and effort towards a more private and encrypted internet!

JohnFen7y ago

WebRTC and privacy don't exactly go together well.

ajsharp7y ago

Sharesecret (my company) provides a similar service, along with a slack extension for anyone who needs a commercial product. https://sharesecret.co

voidmain00017y ago

I'm onboard as a regular user of send.firefox.com. How does Mozilla have the money to offer this for free?

snazz7y ago

Maybe they just don’t need too much storage since they expire quickly. This would be an interesting thing to graph, if they release the statistics.

Vinnl7y ago

Mozilla has quite a bit of money, most of it from their default search engine deals. I'd wager to guess that most of it goes to wages.

danilocesar7y ago

Net income 2017: 89 million. Not that much for a company employing more than a thousand employees. But impressive for a corporation that is 100% owned by (and allegedly managed like) a non-profit org.

ihuman7y ago

Does Firefox Send work on browsers besides Firefox for sending and receiving files? It's blocked at my office, so I can't test it.

fzzzy7y ago

Yes. Tested on Chrome, Safari, and Edge.

tasty_freeze7y ago

Oddly, it doesn't work for me (FF 65.0.2, windows 7) -- I just get an inert white rectangle in the middle of the screen. I tried turning off ublock origin and DNT settings, but it still is just a rectangle.

It works on chrome, and does not work on IE 11 (win 7 doesn't support edge)

https://news.ycombinator.com/item?id=15450524

pizzapill7y ago

The page states that it'll be available on all browsers and a android app is going to be released later this week.

F_r_k7y ago

Swisstransfer.com is more or less the same, but with 25Gb and no sign up

hiq7y ago

Regarding the differences, this website does not seem to encrypt the files on the server, and does not provide links directly, so you need to provide at least one valid email address, if only to send the link to you to then send it to the party you want to share the file(s) with. It's also not open-source AFAICT.

Aissen7y ago

I wonder if they've fixed the issue where one can force reuse of a link by slowing down a download, and sharing the URL ? Hence turning it into a cheap file hosting service:

I haven't been able to upload a file to try.

klohto7y ago

I've tested this and the link seems to expire the moment the user starts a download.

Aissen7y ago

Nice.

DINKDINK7y ago

For senders and recipients who have execution privileges, OnionShare has:

Much lower trust assumptions

Functionality for dropboxes

https://onionshare.org/

https://github.com/micahflee/onionshare

justinc86877y ago

This is cool, but I’m wondering if there is some sort of “secure drop box” equivalent. Basically I generate a set of GPG keys, anyone can post to a web form which encrypts the uploaded data, in browser, using my public key, and uploads it somewhere (my server, s3, Dropbox, doesn’t matter as the private is local on my computer). I could then download the files, decrypt them locally and use them.

We get a lot of customers who want to send us secure data (customer info, etc...) and I’d love a way to make it easy for the customer but still secure.

Does something like this exist, or is this still a pipe dream? Basically FF send, except I provide a known public key to use, rather than it being generated on the fly, requiring the user to find a way to send it to me out-of-band.

marcus_holmes7y ago

I'm working on a file sharing product, for the niche use case of sharing documents between family and professional providers (lawyers, accountants, etc).

Documents are mostly emailed to recipients at the moment (unless they're too large, in which case... um....). The main problem we see is that you end up storing documents in email attachments on your email provider, and using email search tools to try and find documents.

Would this end up the same, only with all documents ending up in the Downloads folder?

Am I wasting my time working on creating a cloud storage sharing solution, and be better working on a method of organising files on the drive, that can also send them to other people?

77ko7y ago

Why have a file transfer for imp docs when you can have a single authoritative source of truth for those docs, along with version history and who changed what.

So why not just use Google Drive (or dropbox)?

I feel with features like secure file sharing (though only with other ppl with google accounts), reasonably good security[1] and Inactive Account Manager[2] it should work for legal docs. Especially considering Google is going to be around for a while.

I would rather use a Mozilla offering but they don't really have too many things for regular consumers outside of firefox and send.

[1]: https://myaccount.google.com/security [2]: https://support.google.com/accounts/answer/3036546?hl=en

mrdoops7y ago

Generate a temporary link that, when clicked sends an event to your system to deprecate the link and redirect the user to a presigned S3 download. In my case the file attachment was the product and it was important the system know when someone had downloaded, but a backend system that keeps temporary urls and requests a temporary download link from the file provider is a useful pattern. Nice thing about signed links is your server doesn't have to handle the file - it's between the client and storage provider.

JonathonW7y ago

As I understand it, this "guarantees" privacy by embedding the key in the link-- if that's generated client-side, it never gets sent to Mozilla's servers (assuming they don't go out of their way to grab it via JavaScript) and you can have end-to-end encryption.

But, if I'm logged in, it looks like Mozilla's storing that fragment on their servers: if I upload a file from one browser, then sign in on a different browser, I can see the link I generated (including the fragment) from the first browser in my list of uploads, and I can download the file.

Doesn't that negate their end-to-end encryption if Mozilla servers have access to the keys?

dcoates-moz7y ago

The data that's synced when you log in is also encrypted, with a unique key derived from your Firefox Account called a scoped encryption key. Your key changes when you change your password. We, (Mozilla) don't know your key (and don't want to know it). Disclosure, I implemented the sync feature of Send.

woranl7y ago

I'm surprised that no one raised their concern about javascript encryption. Usually, some will point out that the user will have to trust the delivered client side code first. Has javascript encryption finally got mainstream now?

techaddict0097y ago

Looks more like wetransfer.

Oras7y ago

True, without the email. Actually, I like we transfer for sending emails and notifications when the user has downloaded the attachments.

techaddict0097y ago

You can use wetransfer without email too I think. my designer sends me that way. Probably signed up users can do so.

roryokane7y ago

In the past, I used https://volafile.org/ for sharing files that will be deleted within a week. Volafile doesn’t do end-to-end encryption like Firefox Send, but it allows you to upload files over 2.5 GB.

Volafile’s multi-file “room” functionality, with chat, makes it more suited for sharing files among multiple people, while Firefox Send is optimized for sending a single file to a single person or a targeted group.

solarkraft7y ago

Bur Firefox is a browser. Why would you associate this with Firefox instead of making it a Mozilla service? It only leads to the Firefox brand deteriorating even more quickly.

foxhop7y ago

Wow, this is really awesome and really cool! First I've heard of it. Just tested it and it worked great.

Is it possible to audit the tech? Is Firefox send open source?

jfk137y ago

See https://github.com/mozilla/send/

oftenwrong7y ago

Non-descriptive headline. Borrowing some copy from the announcement makes it better:

"Firefox Send: a free encrypted file transfer service"

cmurf7y ago

Relatively new, are additional expiration options:

1 to 100 downloads, 1 is the default; or 5 minutes to 7 days, 1 day is the default. And an option to protect with a password.

Upon expiration, entering the URL behaves the same as if you enter a bogus URL, it's basically denied to have ever existed, i.e. it doesn't say this URL has expired.

ksec7y ago

I keep seeing comments about Search Revenue and keeping this free. It would be useful if Mozilla is getting more Firefox users out of it, but it likely won't be in any significant number.

So what happen once this get popular and waiting to be abused? Just like Mega. Who is going to continue and foot the bill?

cyphunk7y ago

most abuse mitigated by their limits on the number of downloads allowed and how many days it can stay online. Currently at 7 days max and 100 downloads. If they see abuse they could reduce this further.

about revenue, there are so many valuable directions this can go. It could undercut competitors in ways they cannot sufficiently respond to. (google responding in kind would leave them less reason to not add encrypted storage for drive) By stabilizing this platform they can start to build new privacy-enhancing apps on top. Calendar, contacts, etc. With more dependency on the platform, they will find areas where more storage, longer retention, will be income generating.

privacy may be the only frontier that can displace google,apple,microsoft.

hieloz7y ago

That sounds great!

Tutanota also provides free encrypted file transfer service.-- Tresorit Send:https://send.tresorit.com/ ,which allows you to upload and share up to 5GB files using the same end-to-end encrypted technology.

kikikiki09i7y ago

How to they pay for the storage costs?

stunt7y ago

Storage is extremely cheap. Especially for a service like Send which doesn't hold any data for a long period of time.

Elseways, It might be that they have bigger plans with it. This might be just a product to learn about market potentials.

Mozilla's manifesto is all about the Internet and Internet privacy. File sharing is one of the areas where the internet is losing privacy.

tantalor7y ago

Obligatory https://xkcd.com/949/

kenrick957y ago

There's also a http://xkcd949.com/

omouse7y ago

The eternal problem of uploading and sharing massive files seems to always have new solutions.

pyyu7y ago

There's croc with relatively small binary for all non-mobile platforms: https://schollz.com/software/sending-a-file/

Causality17y ago

Why does it have upload limits at all? Your client encrypts it, the data is sent over your internet connection to someone else's, their client decrypts it. Why would the data pass through Mozilla's servers?

arduinomancer7y ago

Wouldn't you need both clients to be online at the same time to do that?

Causality17y ago

Yes, but most people are online 24/7 anyway, and that number approaches 100 percent for "two people who need to move a file from one to the other right now". Hosted upload file sharing services are a dime a dozen now. How is this better than slapping something on Dropbox or Mega to send someone?

SubiculumCode7y ago

I've used firefox send many times since its introduction as a pilot. I applaud its simplicity. The workflow is basically upload, send message/email containing the link, download.

josefresco7y ago

In one of their videos, the URL is www.send.firefox.com - the others drop the www - is this intentional, a mistake? Why would someone use www before a sub domain like that?

fzzzy7y ago

Looks like www.send.firefox.com was a mistake. It's not a valid way to access the service. The correct url is send.firefox.com.

Moru7y ago

Because some people just don't recognize a Web address if it does not start with www. I see that all the time with our subdomains.

buboard7y ago

They could also offer a realtime webrtc solution like snapdrop.net . Although i m not sure that works, it didn't work between my phone and desktop.

mirimir7y ago

FWIW it works in Tor browser, with no CAPTCHA. Nice.

euphoria837y ago

This is great! It is a shame that Box and Dropbox need you to be a paying customer to be able to share password protected shared links.

vanous7y ago

Tried it and it seems cool. Too bad that there isn't an addon to create a provider for Thunderbird 's filelink.

_bxg17y ago

Ah man, I literally came up with (and prototyped) this exact thing in 2013. Minus the end to end encryption. I dropped it mostly because I wasn't sure how to prevent illegal use and didn't want to be liable.

Edit: mine was actually (partially) better because it assigned a short PIN instead of a full link, which meant you could just look at it and remember it for typing-in, instead of requiring a separate channel to "send" the link.

hombre_fatal7y ago

You came up with a web service that lets anyone upload something and then download it via /uploads/123?

That's basically a hello world project. As you found out, the hard part is everything else, like funding it.

_bxg17y ago

Funding it wasn't a problem. It took a weekend to build and was dirt-cheap to host. If people started using it enough to increase the server costs I would've stuck an ad at the bottom.

Honestly half of why I took it down is nobody was really using it. I didn't work terribly hard to market it, as I had no aspirations of getting rich and it would've been tenuous to monetize at all. I just told friends about it, etc.

I didn't imply there was a "hard part" to it. Just a neat idea. No need to dump on it.

tyingq7y ago

The end to end encryption necessitates a hard to remember uri anyway, so I don't think you can have both "secure" and "memorable".

_bxg17y ago

Yeah; ID length was definitely another challenge. Time-expiration helped, but. I was going with 6 digits as a middle ground but it wasn't super secure, even if an upload expired after a few minutes. And of course there was no way for the user to know for sure that I couldn't keep around a copy without the E2E.

jdmichal7y ago

Theoretically, yes. But they could also derive keys from a shorter password value -- like password managers.

Sammi7y ago

Encrypting it with a random key that doesn't get sent to the server, but is in the URI that the user sends to the receiver means that only the sender and receiver know what the file actually contains. Means neither you nor law enforcement can know what you are storing unless the URI is captured.

_bxg17y ago

Hah, found a record of the project (we did it at HackTX): http://techzette.com/2013-hacktx-winners-and-finalists/

It was called "Catch"

scriptkiddy7y ago

If you're still interested in this type of tool, I'm sure Mozilla would welcome your contribution: https://github.com/mozilla/send

TheShrug7y ago

A short PIN seems nice for personal use (maybe on a self-hosted service) but wouldn't a short PIN allow people to potentially guess random PINs and download files that they shouldn't have access to?

_bxg17y ago

The hope was for the time limit to help improve those odds, but, yes. It was also not really intended for anything truly sensitive.

The motivating case was when you're in physical proximity to the destination device, but don't have any account linkage between the two (not even messaging/email/social accounts that are connected). The original idea came from university computer labs: transferring homework between the lab computer and a personal one was a pain. I had to sign into dropbox in the browser (and 2FA), or attach it to an email, or carry around a flash drive (which wouldn't work on phones), or whatnot. Just to move the file three feet. A glanceable code with no sign-in bridged that gap.

Other use-cases include people you don't know very well (and therefore don't have an email, phone number, etc.). We demonstrated the prototype to a crowd by uploading a file with the code visible on the projector, and suddenly everyone in the crowd had the file. That was pretty cool.

MrXOR7y ago

Nice, but transfer.sh[1] > Firefox send

[1] https://transfer.sh

maurom7y ago

Been using it since beta. Props to Mozilla for providing one of the easiest and well thought file sharing services.

Shorel7y ago

This really feels like something the old Opera (not the Chromium version) would have done back in the day.

all_blue_chucks7y ago

They did. But it didn't work with NAT so it died.

z3t47y ago

Why doesn't Firefox support p2p file sending !? Why do they do with the files I upload !?

icebraining7y ago

P2P means both machines must be able to talk to each other (occasionally difficult when both are behind NAT) and must be turned on at the same time. Using a reliable intermediary gives some flexibility.

NedIsakoff7y ago

How are they going to deal with bad content? Child porn? Pirated content? Illegal stuff?

mac010217y ago

Since it's encrypted end to end, presumably they will be oblivious to all that stuff?

NedIsakoff7y ago

Sure, but doesn't help with the PR does it. If people start using it to send/dist the stuff, the news will mention it.

tasty_freeze7y ago

The same way backup services and email servers deal with encrypted data. They have no way of knowing.

intellent7y ago

Is there a simple way to get the direct URL of the file (e.g. to use in wget cli calls).

ubercow137y ago

The file is decrypted in client-side JavaScript so presumably no

acnjgg7y ago

been using this for several months. have used it to send all kinds of files be it malware to large files. it used to accept everything. but now it asks for sign in.. why would they do they though

ChrisArchitect7y ago

what is the business case for this tho? Who pays for the bandwidth??

agorabinary7y ago

I'm quickly running out of excuses for still using Chrome...

Vinnl7y ago

While I'm not sure if this is a reason not to use Chrome (you can use it in Chrome as well), trying Firefox is really just a couple of minutes work, and you can easily go back...

Here, I'll type the download link for you: https://firefox.com

usermac7y ago

Yes, next to Apple's AirDrop, this is a welcome addition.

zyngaro7y ago

What is the use case of such a tool? Real a question.

ebg137y ago

I don't understand what you're asking. The use case is literally in the title ("file transfer").

johnchristopher7y ago

The npm installation of send is quite easy to set up.

oblio7y ago

I wonder if they're running some malware scanners plus do they have to comply with DMCA takedowns? Based on what I see, the files are hosted on their servers, so they kind of have to, no?

mehrdadn7y ago

There is end-to-end encryption, so unless they have homomorphic virus scanners I don't see how they would do this...

nvdk7y ago

At maximum 200 downloads and an expiration of 7 days I don't think anyone will bother to be honest.

TulliusCicero7y ago

Hypothetically, you could wrap this storage solution in a service that automatically creates new underlying links as old ones exhaust their quota or expire.

pvK127y ago

Backend is written in JS. I can understand why they chose Node, but why not Typescript? This needs to be maintained and TS >>> JS.

qwerty4561277y ago

How does it work? Is it P2P or what?

JohnFen7y ago

The encrypted file is stored in the cloud. The recipient downloads it from there and decrypts it.

P2P would be much better, but this isn't that.

mtgx7y ago

Wasn't it initially P2P and based on the WebRTC protocol?

laurent1234567y ago

How does E2EE work if the recipient can download the file directly? I'd expect some key or password needs to be exchanged too?

Vinnl7y ago

They key is appended to the URL as a hash, which cannot be read by the server.

sigmonsays7y ago

this doesn't seem that impressive technology wise, but maybe i'll remember to use it.

liquid1537y ago

Is there a web plugin for this yet.

Brosper7y ago

Nice!

RoadRunner_237y ago

File Transfer https://xkcd.com/949/

Hope Firefox Send solves this ever present problem ;)

mFixman7y ago

I can't believe that there isn't a simple service to transfer data between my cellphone and my computer without going through the internet. iTunes is terribly bloated, MTP is a mess, and Bluetooth is slow and frustrating.

Back in my hacker day I used to have an SSH server open on my cellphone and use it to transfer files back and forth with my computer. Why isn't there a mainstream service like that?

_petronius7y ago

I recently switched back to iOS after years on Android, and on this point I've been very impressed with Airdrop. Dead simple UI, very quick transfer speeds, uses WiFi or Bluetooth as available. It's just a shame that it's limited to Apple devices.

electrograv7y ago

The conspiracy theorist in me wonders if Google simply wants to maximize the use of their servers here (independent of what users want/need):

1. P2P doesn’t give Google all that juicy mineable data that they get when everything you do makes round trips through their servers.

2. This would also implicitly encourage Android users to rely more on services like Google Drive/Docs for all files, which is good for them.

Edit: Apparently it is disputed that iOS has superior P2P file transfer support vs Android (see reply below), so perhaps all this is a moot point. I was assuming the truth of the parent post, and didn’t realize it was contentious; and since I’m not an Android or iOS expert, I can’t really argue that topic either way.

sdaslo7y ago

Isn’t it because it’s limited to apple devices that it works so nicely? Even some times before recent updates they’ve made, ive had airdrop work improperly where my old MacBook Air wouldnt show up, etc etc. it would be a nightmare to get that working across android and pc devices

Angostura7y ago

Just to be clear, Wifi network doesn't need to be available. If I remember correctly, initial connection setup is done through Bluetooth, then one device invisibly sets up an adhoc wifi connection to the other to transfer. The two devices don't have to be attached to a Wifi network. Quite spiffy.

untog7y ago

Agreed. And app hand-off (for the small number of apps that use it, basically only Safari for me) is fantastic as a "task transfer" tool as well.

matt-snider7y ago

What about https://syncthing.net/?

EDIT: I know you said without going through the internet. Syncthing can be configured to only transfer over specific networks (e.g. home LAN/WI-FI)

rcMgD2BwE72F7y ago

I've been using it for (almost) everything and it has always work perfectly:

I keep my phone's picture in sync with my personal computers ("send only" so I can remove old photos when my SD card is getting full).

I sync a "media" folder where I dump all the music and video I download with the youtube-dl CLI (a "yt" alias makes sure the files are stored in the right directory with some custom parameters).

I sync my KeepassXC databases (work and personal), between my personal Linux laptop, my Android phone and my work MacbookPro. Databases can be merged in a single click if there's any conflict (happens very rarely). I love the Android secure autofill service and fingerprint quick unlock

I use a "temp" folder to drag'n drop stuff between computers so I can file it properly on the right device. On Android, I prefer to use the Syncthing "sharing intent" to make any file/media available on my other devices in just a tap.

I also have installed Syncthing on my Android TV, and occasionally drop HD movies that I download on my phone over P2P (I have a pretty fast connection, so it's easier for me to choose a move from my phone, while in commute, have it download in a few seconds, and either stream it to my TV via Chromecast or open it from the synced folder through Kodi)

This really is a dream setup.

jamesgeck07y ago

Syncthing is in dire need of an iOS client. There's an unofficial one, but it was unmaintained and didn't sync with recent versions of Syncthing last I checked.

pard687y ago

I use syncthing for all my personal file syncing. It is so useful and secure to boot!

akerro7y ago

>I can't believe that there isn't a simple service to transfer data between my cellphone and my computer without going through the internet.

KDE Connect, https://community.kde.org/KDEConnect#What_is_KDE_Connect.3F i've been using it for years

jumbopapa7y ago

I've been using this, but I just switched to the Sway for my WM and I'm unsure of how to use KDEConnect with Sway. Any ideas?

[0] https://userbase.kde.org/KDE_Connect/Tutorials/Useful_comman...

AdmiralAsshat7y ago

A number of Android File Managers these days (Amaze comes to mind) include a toggle option to turn your phone into an FTP Server. You would then just pull it up on your computer via ftp://192.168.X.X and put an optional user/pass over it. I've used that for many years if I need to quickly transfer some documents or songs between devices.

Not technically internet so much as intranet.

Izkata7y ago

And on the flipside, I've used AndFTP to connect to my laptop from Android 2.0 through 8.1 - it supports sftp and a few other protocols.

zcid7y ago

This is my preferred method. I use SolidExplorer to start the ftp server and use an alias to access via lftp.

gurpreet-7y ago

Resilio sync [1] is a great service I've used to transfer files using P2P technology. It still uses the Internet, but avoids any intervening parties.

If you're using Android, you could just use USB transfer using Android File Transfer [2]. Super easy, super fast.

[1] https://www.resilio.com/individuals/ [2] https://www.android.com/filetransfer/

jamesgeck07y ago

If both computers are on the same LAN, Resilio Sync shouldn't hit the internet at all.

dx877y ago

KDE connect works without internet access. I haven't used it on Windows, but it works fine for me on Ubuntu.

jwr7y ago

If you use Apple devices, it's called AirDrop and works surprisingly well. I use it a lot, between computers, phones, and ipads, within the family and sometimes with other people, too.

chapium7y ago

Just make sure your Mac's firewall is not blocking bluetooth.

ufo7y ago

Does local wifi count? I use KDE Connect for sending files over wifi and a bunch of other things.

You may also want to check Syncthing, which others have also recommended.

ognarb7y ago

I love KDE Connect, particularly the run command function. I wrote a list of some useful commands in the kde userbase wiki [0] some time ago.

chongli7y ago

I just use iCloud Drive. Files on my desktop and in my documents folder get automatically synced to my phone and vice versa. It's extremely easy and painless. I often find myself on my phone, saving a file to my iCloud desktop, and finding the file on my desktop the next time I open the lid of my laptop.

aaaaaaaaaaab7y ago

>without going through the internet

samcday7y ago

Tangentially related - I've always thought it's dumb that I can't just plug my iPhone in to any PC and have it show up as a removable storage device.

I'm sure people who know more than me will give me a list of great reasons why it's not straightforward to implement...

But it doesn't change the fact that I have this incredible device (iPhone X) with 256gb of blindingly fast NAND flash storage, of which I am only utilizing 30gb, yet I still have to tote around a f*ing stupid little plastic USB dongle if I want to copy some files around.

TulliusCicero7y ago

> I'm sure people who know more than me will give me a list of great reasons why it's not straightforward to implement...

Nah, Android phones have done this forever, it's not technical difficulties stopping it from working. It's The Apple Way. They don't want you using your phone that way, or something.

4 more replies

supermatt7y ago

this is an artificial apple restriction. other vendors allow you to do exactly this

Retric7y ago

I regularly do this to offload pictures and movies. I have even used my iPhone as a large USB drive.

But, they don’t let you access to full file system for some reason.

https://github.com/andyholmes/gnome-shell-extension-gsconnec...

joubert7y ago

Unrestricted access would probably mean that someone could take your phone and access your data.

Instead, there are these 3 ways to share files between your phone and other machines: https://support.apple.com/en-us/HT201301

asdff7y ago

Apple used to let you do this exactly with the iPod.

smoser7y ago

Besides AirDrop there is "Copy and Paste across devices" https://support.apple.com/kb/ph25168?locale=en_US

ihuman7y ago

Does that transfer the data over iCloud (via the internet), or over Bluetooth and local WiFi? The page is kind of ambiguous since it mentions all 3.

mikro2nd7y ago

> copy text, images, photos, and videos on one Apple device and then paste the content on another Apple device

So not so much for my Linux box or my Android phone, then. As usual with Apple's shiny crap it "all just works" as long as you're only playing inside the walled tarpit.

Benjamin_Dobell7y ago

AirDroid is pretty handy on Android; file transfer, browsing your phone's files/images, sending SMS from your desktop browser (although Messages now does that native) etc. Much to my surprise, there's also an iOS version - https://itunes.apple.com/app/id1194539178

ocdtrekkie7y ago

SMB over local network would be my default, I recall an app for using SMB with Android back as far as the 2.x days.

We have tons of protocols for transferring files over networks, there's no reason for them to go to the public Internet, nor for them to be mobile phone specific.

m52go7y ago

If you use GNOME, GSConnect is magical.

merpnderp7y ago

In the Apple ecosystem, there's AirDrop which uses either Bluetooth or Wifi. You can quickly share files between any iOS and Mac devices very simply.

sametmax7y ago

There is. It's called dukto (http://www.msec.it/blog/?page_id=11), and works on mac, linux, windows and android. It will use zeroconf to automatically find all duktos on the local network, and let you send stuff to them in a blink.

Proprietary but free as in beer.

cybwraith7y ago

Dukto is great!

pault7y ago

You didn't say whether you are on iOS or Android, but if you are on iOS airdrop works very well.

laumars7y ago

It does - just so long as you and anyone else you might want to share with are paid up into the Apple walled garden.

I do have an iPhone and I love AirDrop for sharing photos with the few friends who also have an iPhone but it's not even an option for me with a Linux laptop.

dTal7y ago

You might be interested in KDE Connect, which provides (among other things) essentially a thin wrapper around SSHFS. It's the most convenient method of computer<->phone transfer I've found.

hiccuphippo7y ago

What I'd like to see is an app that runs a webserver on my phone to share a slideshow of pictures or videos to a browser on the lan. I haven't found this and I'm thinking about writing one.

Moru7y ago

Try resilio sync, uses lan or Internet depending on what is available. Sync the images folder with your computer with a few clicks.

spieglt7y ago

This runs the web server on a computer, but allows two-way file transfer from phones: https://github.com/claudiodangelis/qr-filetransfer

spieglt7y ago

Check out https://github.com/claudiodangelis/qr-filetransfer for computers and phones on the same LAN.

Works great, and I'm planning on integrating that functionality into my project which transfers files between laptops using only wireless cards, no LAN required. https://github.com/spieglt/flyingcarpet

microcolonel7y ago

I use Syncthing, personally. It usually works pretty great, the only real issues I've seen are with locked down internet connections (the sort which also seem to meter or block VPNs).

rsync7y ago

"I can't believe that there isn't a simple service to transfer data between my cellphone and my computer without going through the internet."

The correct way to do this is to configure your phone to emulate USB mass storage and then connect with a USB cable.

Your phone looks like a thumb drive. It's the easiest workflow in the world.

Unfortunately, this workflow is off limits because of some licensing requirement from MS for fat32 (or something) which is why neither android nor ios has this very basic, simple feature.

est317y ago

I often first try MTP and when it is acting up again, I'm using adb pull / adb push to do it. Once set up, adb turns on automatically and all you need to do is to invoke the commands on the computer. If USB is unavailable, adb works via the network as well, provided the phone's IP is reachable. However, you need to know the ip address. The only problem really is figuring out the paths, but at least it works and overall I'm wasting less time than with MTP usage.

kop3167y ago

I seem to remember that there was an app on android that allowed you to access your files via a webserver you could turn off and on. I used that a lot before I got nextcloud.

dooglius7y ago

I'm a bit confused, in what sense is accessing an SSH server not going through the internet? Was the phone connected to the same LAN as the desktop via Wifi?

laumars7y ago

That was my assumption.

Your comment took me a little by surprise actually because there's no actual need for the internet in SSH and in fact I probably do 90% of my SSHing on local networks. But I guess your usage differs significantly?

https://f-droid.org/en/packages/org.primftpd/

Piskvorrr7y ago

That's the usual arrangement, yes: phone - WiFi AP - ethernet switch - desktop; no internet needed. SSH is not some only-works-in-the-cloud magic, just a TCP/IP service; as long as you can access the server, it is cloud-agnostic.

I do use this arrangement with split DNS: inside the local LAN, the desktop's DNS resolves to the desktop directly; outside, it resolves to the gateway's external port, whence it's NATed to the desktop. SSH from anywhere :)

Steltek7y ago

When pushing files from phone to computer, I setup my Pixel to use AndFTP. The ubiquitous "Share" button offers AndFTP as an option and lists preconfigured destination SSH servers. I upload photos this way to a distinct account (which gets scooped up later by a more privileged script).

What I'm really looking for is a Share button enabled app that can POST arbitrary files to a customizable URL.

opencl7y ago

Syncthing is fantastic for this (and file transfers between computers over LAN and/or internet), unless you happen to have an iOS phone.

omouse7y ago

It's because the whole app ecosystem is proprietary and the open source packages aren't as polished. I remember when it was a huge pain to use Bonjour.

It seems like this should be a solved problem but maybe it takes a Mozilla or some other larger entity to push the marketing and the customer support and development to really solve the problem of transferring large files securely.

m-p-37y ago

I'm on Android, and Syncthing is pretty seamless once configured. I just configure my cellphone, my laptop and my desktop to sync a specific directory in both directions.

It's decentralized, end-to-end encrypted and does local discovery of devices on a LAN so it will also works offline.

As long as one device lives and is synced, I have a copy of the files.

kgwxd7y ago

There are plenty of cross-platform local file transfer tools available but they all require manual setup and some knowledge of networking. If "without going through the internet" is a requirement, I don't think an easier and secure tool could be made better than what's already available.

patr0nus7y ago

What about Dukto [0]?

IMO if something doesn't require the internet connection, it is more likely to be called "software", not a "service".

[0] http://www.msec.it/blog/?page_id=11

yjftsjthsd-h7y ago

You can literally do that; termux will run sshd quite happily. I'm pretty sure there are sftp servers in the app store as well, but I don't really trust them.

I run the reverse; my laptop runs sshd and then I ssh/scp/rsync from termux on my phone. But either way works.

morpheuskafka7y ago

On iOS having a file manager web server is a common workaround, some apps like VLC even have their own. The only issue is that the server stops if you switch apps. There's also iMazing which uses the iTunes protocol and is pretty good, but unfortunately is paid.

alanpearce7y ago

With macOS and iOS, Airdrop, as others have stated. For other platform combinations, there is NitroShare[1] which works in almost the same way.

[1]: https://nitroshare.net

xioxox7y ago

SimpleSSHD is a simple ad-free open-source SSH server for your Android phone (available on Google Play). It's very useful. It only supports public-key based authentication, so you can't use a password, however.

yjftsjthsd-h7y ago

> It only supports public-key based authentication, so you can't use a password, however.

If there's any chance of this thing being exposed to a public network (like, say, a cell network), I'd say that's a very good thing!

msravi7y ago

termux + woof

woof -i <ip_address> -p <port> <filename>

termux: https://play.google.com/store/apps/details?id=com.termux&hl=....

woof: http://www.home.unix-ag.org/simon/woof.html

Edit:

1. Allows directory upload/download (tar/gzip/bzip2 compressed)

2. Local file server (doesn't go over the internet)

3. Allows upload form (-U option)

4. Allows file to be served <count> number of times (-c option)

pwg7y ago

To add to the options (for Android phones):

gshulegaard7y ago

There are a few around...I use File Explorer which can actually start an FTP server from my phone (iPhone) that my PC can connect to over LAN. It also can be a client to a remote FTP/file share.

MaxBarraclough7y ago

You run a simple HTTP server on your computer, then download your files over Wi-Fi using your phone's browser. Works nicely.

    cd my/directory && python3 -m http.server 80

dec0dedab0de7y ago

Plugging in a USB cable still works fine. I think the problem is if its too easy then people will be copying files off of each others phones without permission.

laumars7y ago

> Plugging in a USB cable still works fine.

That uses MTP which the OP already discounted as being "a mess". Frankly my experience matches his and thus I actively avoid MTP whenever I can.

> I think the problem is if its too easy then people will be copying files off of each others phones without permission.

You usually need to unlock the phone to use MTP. If an attacker has access to unlock your phone then it makes no difference if they copying the files via USB, Dropbox, email or whatever - your attacker already has the permission they need to do so.

diegorbaquero7y ago

You can try WebTorrent (P2P) based solutions, maybe https://btorrent.xyz could help.

SebiH7y ago

How about https://snapdrop.net/ ?

buboard7y ago

there is https://snapdrop.net/ but it didnt work for me

shmerl7y ago

KDE connect?

nobrains7y ago

Airdroid

deltaqueue7y ago

Dozens of responses, and not one mention of Dropbox. Works perfectly for this exact purpose on Android.

Legogris7y ago

You missed the "without going through the internet" part.

https://send.firefox.com/legal

hlnas7y ago

How "private" is it? Do you store metadata? i.e. if I upload a file and it expires, do you also delete any trace of me, including my IP address?

mehrdadn7y ago

> We receive IP addresses of downloaders and uploaders as part of our standard server logs. These are retained for 90 days, and for that period, may be connected to activity of a file’s download URL. Although we develop our services in ways that minimize identification, you should know that it may be possible to correlate the IP address of a Send user to the IP address of other Mozilla services with accounts; and if there is a match, this could identify the account email address.

gurpreet-7y ago

Why is it a necessity to store information for 90 days? Why not 10 or 30?

icemelt87y ago

I wonder which cloud service they are using to store the files.

swtrs7y ago

A bit of poking around leads me to prod.send.prod.cloudops.mozgcp.net so Im assumping Google CloudCloud.

sccxy7y ago

Google Cloud Platform

fxfan7y ago

There's also a command line interface somewhere

nukeop7y ago

I wish Mozilla focused on core Firefox functionalities instead of coming up with so many small side projects that don't target their typical audience. Since Chromium-based browsers are not an option, many of us are stuck with Firefox as the only remaining choice. But even Firefox has to be heavily customized before it's completely deGoogled and stops contacting various motherships.

As a side note Nightly build for Ubuntu has been broken since version 61 and there's no sign of any effort to fix it.

kvark7y ago

Is there anything specific you are missing in Firefox today? Or is it purely the fact that it's broken since version 61? Did you submit a bugzilla issue, or know the existing number? I'd be happy to check it out.

nukeop7y ago

A million things, like missing functionalities from the new extensions api (meaning no Pentadactyl), no good way to manage keyboard shortcuts, having to disable many google integrations after installation, no way to disable "do not track" if using built-in tracker blocking, no sidebars a la Vivaldi, buggy rendering (e.g. transitions animating elements using css transforms), unexplained slowdowns, lack of proper tab isolation (one slow/crashed tab takes the whole browser with it), etc. I could rant all day.