What do you do when you need to send a file to someone you don’t interact with a lot?
Many of us use email attachments for small files, because it’s quick and easy to share modest amounts of data that way.
Sure, the attachment will probably lie around in the recipient’s mailbox for days, or months, or even years, which might not be quite what you had in mind…
…but when you send someone else a file, you can’t control what they do with it anyway, or how long they keep it, or how widely visible it is on their corporate network after they save it.
But email is no good for large files such as audio data or videos, because most email servers quite reasonably have a low limit on message sizes to stop the system getting clogged up by attachments.
So the usual fallback for sending files that you can’t or don’t want to transmit via email is to use a file sharing service instead, which is rather like using webmail, only without the messaging part.
You upload the file to a file sharing site, optionally setting various options that describe which other users can see it, and for how long, and then send the recipient an email that contains a download link where they can fetch the file at their leisure.
That worrying feeling
If you routinely use file sharing services, however, we’re sure you’ve experienced that worrying feeling that comes whenever you browse through the list of files you’ve shared in the past, especially if you were sending a file to someone you don’t deal with often.
What on earth was that file test-footage-march-unedited.mov
you once sent, and who on earth are the four users on the access control list?
Can you delete the file temporary-backup-of-event-pics.zip
that you shared two years ago, and did you ever make a permanent backup, and if so, where did the file backup-to-keep-forever.zip
end up anyway?
The annoyance – and the small but ever-present cybersecurity risk – in leaving a litter of old files behind in various third-party websites is one that affects many of us…
…which is why we are occasional but enthusiastic users of Firefox Send, a free service from Mozilla that aims to let you share large files easily, but without the worry of what gets left behind and forgotten about.
When you upload a file to send DOT firefox DOT com
, it gets encrypted in your browser before any data is send into the cloud; the decryption key is encoded into the URL for downloading the file; and the link thus generated is (by default, at least) valid for one download or 24 hours, whichever comes first.
If the recipient downloads the file using the link you send them, the data gets decrypted in their browser only after it has been downloaded, and then it vanishes from Mozilla’s servers forever.
If both you and the recipient forget about the uploaded file altogether, then it vanishes anyway and you don’t have to wonder if it’s still sitting around somewhere for someone else to download.
While the file is still on Mozilla’s servers, the pre-upload encryption means that even Mozilla can’t decrypt the file anyway, because only the encrypted data was uploaded and not the key.
(In fact, given that the temporarily stored files are no more use than shredded cabbage to Mozilla – or to any network hackers, law enforcment agents, data protection regulators and so on – there is every incentive for Mozilla delete the files as promised, in order to recover disk space that would be completely wasted otherwise.)
What’s good for the goose
Unfortunately, as with so many simple, free and effective online services, what’s good for the goose is good for the gander, too.
In other words, crooks love Firefox Send just as much as we do, because it lets them generate short-term links based on trusted URLs for sharing arbitrary files without leaving any leftover data in the cloud.
The problem is that in the case of the crooks, they’re typically using Firefox Send for what you might call “data infiltration” – a way of importing malware files or attack tools onto a network they’ve already broken into without drawing undue attention to themselves.
That sort of operational tactic goes by the name of living off the land – a slightly misplaced metaphor, to be sure, but one that is now widely used in the cybersecurity industry to mean “fitting right in with everyday behaviour on the network”.
By using Firefox Send, the crooks don’t need to set up a file sharing server of their own at a legitimate-looking URL, and they don’t have to worry about making sure their URLs expire automatically after use.
Links that work only once are a thorn in the side of security researchers, because even if you manage to acquire a full URL as an indicator of compromise, you can’t go back to the URL to investigate what malevolent baggage it might have served up when it was used.
The crooks also make themselves harder to track because their malicious content is effectively hiding in plain sight at an IP number operated by Mozilla.
What now?
Hats off to Mozilla and the Firefox team: following recent suggestions from cybersecurity researchers that some tweaks to the service might be a good idea, such as a [Report Abuse]
button to make it quick and easy to get dodgy links blocked…
…the company has suspended its service temporarily to address the issues, rather than simply handing out vague promises to look at changes in the future:
Firefox Send is temporarily unavailable while we work on product improvements.
We appreciate your patience while we make the Firefox Send experience better.
The holding page doesn’t actually say that the outage relates to the problem of abuse by cybercriminals, but Mozilla has issued a statement to say:
Before relaunching, we will be adding an abuse reporting mechanism to augment the existing Feedback form, and we will require all users wishing to share content using Firefox Send to sign in with a Firefox Account.
Until now, you could use Firefox Send without creating a Firefox account, although that limited your links to at most 24 hours, but it looks as though the days of free-in-all-senses use of Firefox Send are over.
We’re not sure quite how much of a dent Mozilla will make in the abuse of the service by requiring even occasional users to stump up email addresses and create yet another cloud account, but the organisation seems determined to keep the service alive while addressing the community’s geniune concerns.
What do you think?
Does your organisation block sites like Firefox Send anyway?
If so, do you think these changes will make you rethink your policy, given that Send’s auto-encrypt-before-upload and auto-purge-after-download features gives you two less things to worry when sending files via the cloud?
Raffles
I hope they fix it quickly.
Spryte
not sure I’d use it.
FF does have a good reputation, but still, it’s a file sharing platform. Gonna get some attention from the baddies.
Paul Ducklin
The links are typically one-offs, so as long as you’re expecting a link and it comes from someone you know and trust, an email with a link in it is kind of equivalent to an attachment in the email…
Tim Boddington
Like all online activities, there should be a log. Some activities are already logged by ISPs for appropriate authorities to inspect (the fact of the activity, not the data content). I don’t see why the fact of a Firefox Send shouldn’t be logged by Mozilla in the same way. It should be possible for corporate monitoring to identify such transactions and also log them. It should be part of basic business control.
Anonymous
Not sure
Clifford Cuellar
I think the requirement for a Firefox login and a transmission log would be needed due to the transient nature of the files. While preserving the confidentiality of the data, this would provide a rudimentary activity tracing system. This would hopefully help deter or at least slow the bad guys by requiring a valid IP address to use the system.
Márcio Vinícius Pinheiro
I hope they fix it soon. If there’s anything to fix. The problem is not the service, but the use people make of it. No need to log (for god’s sake, stop logging our lives!), no need to sign up (signing in should offer an advantage to the user or to the service administrator, what exactly would be the advantage given in this case?). We receive all sort of spam, phishing, malware, trojan, ransomware, etc. via email and nobody turned off any email service. What’s the difference between Firefox Send link and any other link or atachment in emails or IMs? You will open it if you’re expecting it. People have to learn not to click on any link they receive, otherwise close the entire Internet.
Anonymous
I agree with you. I don’t think there is any need to change the service or turn it off. If someone you don’t know sends you an email with an attachement, you don’t open it. Same goes for firefox send (the links has to come from somewhere or someone!)
Similarly even if you know the receipient, if you didn’t expect them to send you any files you wouldn’t just blindly open the attachements or links they sent you. So again this is exactly how one should treat firefox send links.
If someone is not capable of understanding this they should probably not be using email or the internet in general anyway.
Anonymous
It’s like people don’t read the article or something… It’s not about clicking a link or not, it’s about disguising traffic and limiting an administrator’s ability to investigate:
“The problem is that in the case of the crooks, they’re typically using Firefox Send for what you might call “data infiltration” – a way of importing malware files or attack tools onto a network they’ve already broken into without drawing undue attention to themselves.”
Still, requiring a Firefox account is annoying, it will certainly reduce the convenience for many users.
Greg
I am a bit of a Libertarian so I would have preferred that FireFox send be left as is. We are all being monitored more by the powers to be than ever in history. What makes us believe the powers that are monitoring us aren’t the criminals?
Paul Ducklin
I guess they figured that because it was a free service (but cost money to run), they could do without the complaints.
Anonymous
I don’t see the Issue! If i want to share something safely without leaving trace with a friend via internet firefox send was the way to go! He was expecting a link + code and there it is! I guess the problem was ppl trusting links from some shady ppl on/or shady sites that’s it! I’m not an IT-Geek but as far as i know you need to run a virus/malware for it to harm your computer just downloading it won’t do anything? So if you are not sure about it open it in a virtual machine.
Paul Ducklin
I suspect that Mozilla ended up with a lot of costs (storing and serving up lots of large files), a bunch of complaints (e.g. about their links being abused for piracy or to spread malware), very little recognition and zero revenue.