Be careful using Mozilla"s new file sharing service "Send"

Mozilla is testing a new and convenient file sharing service for users of any modern browser, including rivals Chrome, Internet Explorer, Edge, Opera and Safari. “Send,” as the service is called, promises to allow users to securely swap files, rendering the download link invalid after the first download is completed.

With a seemingly dim 7% market share, Firefox is one of the most widely-used web browsers, trailing only Chrome and Internet Explorer, and occupying a comfortable 3rd spot in the desktop segment, ahead of Opera, Edge, and other browsers. That keeps Mozilla busy building exciting new features for its user base, including one recent file-sharing service called “Send.”

A test pilot program, Send hopes to become a one-stop-shop for swapping files no larger than 1GB, conveniently and, more importantly, securely between users of “any modern web browser.”

Send promises to:

1. encrypt the uploaded file
2. generate a unique URL that expires after the recipient completes the download
3. render the link invalid if 24 hours have passed without anyone downloading the file

“Send lets you upload and encrypt large files (up to 1GB) to share online,” Mozilla says in a recent Test Pilot post. “When you upload a file, Send creates a link to pass along to whoever you want. Each link created by Send will expire after 1 download or 24 hours, and all sent files will be automatically deleted from the Send server.”

While convenient, Send throws in the decryption key with the download, which means the service is not immune to man-in-the-middle (MITM) attacks.

“You should not provide the link to anyone you do not want to have access to your encrypted file,” Mozilla warns.

A quick in-house test conducted at the time of writing suggests that the one-download rule can be broken if two different users access the link at the same time. Our test indicates it takes more than a few seconds for the servers to be notified that the first download has completed, especially in the case of a large file. This would allow a third party to download the same file, provided they had access to the link at around the same time.

Mozilla labels Send a “web experiment,” and users should take those words to heart. Send offers an admittedly seamless experience with its authentication-free, drag-and drop functionality. However, for the time being, the service should only be used to share non-sensitive information with trusty recipients using trusty communication services. Send does not seem suited for business use, sharing corporate data, or for communicating sensitive information of any kind. Not yet, anyway.