undefined | Better HN

story

0 pointsbjt2n39047y ago0 comments

Thanks for the info. Let me see if I understand this correctly.

Browsers don't send the anchor tag (ie: with GET requests). FF Send takes advantage of this by using the anchor tag to store the key for decryption.

That is kinda novel. You still need to trust the upload client to not leak the key, but I see that you've written a CLI version. Interesting! Thanks for the response.

0 comments

timvisee7y ago

You got it! The only thing you'd have to worry about is malicious JavaScript on the Firefox Send website which I believe would be highly unlikely. And of course, you must keep your link secret.

Yes, such a CLI tool would help protect you against a MITM with malicious JavaScript.

Piskvorrr7y ago

Unlikely but possible. Two words: browser extensions.

quickthrower27y ago

Three words: My Ether Wallet.

NKCSS7y ago

It's not a new idea, the megaupload successor first did it as far as I can remember

simias7y ago

Indeed, the website serves you the crypto code but it runs totally on the client so it's perfectly safe and could in no way be backdoored.

More seriously, did they do anything to fix this obvious design flaw? If they want to fish a key they can just serve you a modified JS file and retrieve the key. Unless of course you chose to audit the JS served every time you browse the website.

solarkraft7y ago

How would this be possible to fix? I currently don't see any possibility of this.

coolspot7y ago

Yes, the mega.co.nz . End-to-end encrypted dropbox analog.

solarkraft7y ago

It's cool, but not exactly novel. Mega has done it this way for years.

j / k navigate · click thread line to collapse

0 comments

timvisee7y ago

You got it! The only thing you'd have to worry about is malicious JavaScript on the Firefox Send website which I believe would be highly unlikely. And of course, you must keep your link secret.

Yes, such a CLI tool would help protect you against a MITM with malicious JavaScript.

Piskvorrr7y ago

Unlikely but possible. Two words: browser extensions.

quickthrower27y ago

Three words: My Ether Wallet.

NKCSS7y ago

It's not a new idea, the megaupload successor first did it as far as I can remember

simias7y ago

Indeed, the website serves you the crypto code but it runs totally on the client so it's perfectly safe and could in no way be backdoored.

solarkraft7y ago

How would this be possible to fix? I currently don't see any possibility of this.

coolspot7y ago

Yes, the mega.co.nz . End-to-end encrypted dropbox analog.

solarkraft7y ago

It's cool, but not exactly novel. Mega has done it this way for years.

j / k navigate · click thread line to collapse