Send: A Fork of Mozilla's Firefox Send (opens in new tab)

(github.com)

666 pointsandredz4y ago141 comments

141 comments

kickscondor4y ago

Some other WebRTC file transfer options:

* https://wormhole.app/ (my recent fave, by creator of WebTorrent, holds for 24h, https://instant.io by same)

* https://file.pizza/ (p2p, nothing stored)

* https://webwormhole.io/ (same, but has a cli)

* https://www.sharedrop.io/ (same, does qr codes)

* https://justbeamit.com/ (same, expires in 10 minutes)

* https://send.vis.ee (hosted version of this code)

* https://send.tresorit.com/ (not p2p, 5 GB limit, encrypted)

I track these tools here: https://href.cool/Web/Participate/

carbonatedmilk4y ago

love Wormhole, but that animated background chews up an incredible amount of battery power on my M1 Macbook Air (even when the tab is in the background). Please wormhole crew, turn it off.

feross4y ago

We recently made a one-line change that massively reduced GPU usage, specifically:

- Intel integrated graphics: 60% reduction

- AMD Radeon: 40% reduction

- Apple M1: 10% reduction

What was the change? We removed "opacity: 85%" from the <canvas> element. We were using opacity to slightly darken the animation but now we just darken the texture image directly.

1 more reply

Farow4y ago

You can "hide" it with uBlock Origin by blocking large media elements in the popup.

1 more reply

pimterry4y ago

100% agree - I've used Wormhole a few times when I try to quickly get data into interactive VM sessions, because it works great otherwise, but the graphics consistently grind the whole thing to a halt.

I really don't get the reasoning. It looks kind of cool, but it makes it super unusable for a bunch of use cases from very old computers to interactive sessions on raspberry pis to constrained VMs. And those are exactly the kind of places where I want friendly easy tools to copy files across for quick system admin or to get logs back out! Doesn't seem like a good tradeoff.

2 more replies

FriedrichN4y ago

Set webgl.disabled to true if you're using Firefox.

BiteCode_dev4y ago

And if you have a sucky connection, it's slow has hell to load.

1 more reply

arafatamim4y ago

Turn on "reduced motion" setting on your Mac.

FounderBurr4y ago

Wouldn’t it be easier for you to manage what you expend your battery on?

1 more reply

iagovar4y ago

Hmmm, it seems like https://webwormhole.io/ has changed from last time I used it. https://wormhole.app/ seems more similar to what I remembered as frontend.

I remember trying many of those services and I decided to use this one because I could send large files without any problem (was trying to move sqlite dbs that were several Gbs, as it seemed to stream the file instead of trying to store it on ram first, but now I see wormhole.app allows up to 10GB, and I don't remember to have any limit.

WebRTC services seem to have problems to get up to speed, but for streaming files between devices it seems the best solution in terms of friction.

lxgr4y ago

The speed problems interestingly seem to be caused by a bug in an implementation of SCTP used by most (all?) WebRTC browser implementations:

https://github.com/saljam/webwormhole/issues/55

The symptom seems to be that the SCTP data rate drops with increasing latency (which used to be a problem with very old TCP implementations too, but all modern ones handle high-latency networks much better).

1 more reply

dennis-tra4y ago

I‘ve also built a file transfer tool (CLI) with emphasis on decentralization. It’s a fully decentralized p2p file transfer tool based on libp2p:

https://github.com/dennis-tra/pcp

I‘m currently trying to make it interoperable with https://share.ipfs.io/#/ which resembles the functionality of the posted tool.

kickscondor4y ago

Seems very similar to 'hyp beam': https://github.com/hypercore-protocol/cli

dschep4y ago

There's also https://snapdrop.net which seems extremely similar to sharedrop.io but has an additional useful feature of letting you send messages which I sometimes use to send links to devices that aren't logged into any service.

kickscondor4y ago

Ah neat! I've added all of the links in the comments here to my list - great to see what's out there and to combine our collections.

fckthisguy4y ago

As I recall, there's a difference between file.pizza and webwormhole. file.pizza allows the sender to specify files and then generates a share url, whereas webwormhole creates a share link first. The latter can be useful if you're not sure exactly what you'll send before you share the link.

Dumbdo4y ago

There's also https://github.com/schollz/croc which is a very simple P2P CLI transfer tool.

fljsdflsdfjdslf4y ago

Missing https://dropbox.com/transfer

ehsankia4y ago

Is that using WebRTC, or are they hosting the files on their backend?

elliebike4y ago

I’m a fan of Kipp! Not p2p, but has optional encryption

https://kipp.6f.io/

ca98am794y ago

I made these:

https://file.io

https://temporary.pw

Ansil8494y ago

> I track these tools

How frequently do you validate that they are still functional?

I tried File Pizza several months ago, and neither I nor the recipient could get it to work.

kickscondor4y ago

Links are checked at least once daily - I do have a few that are recently broken that I need to address - but File.pizza is okay again. I have switched the main link to Wormhole, because it's now my preferred option - and because File.pizza has been up and down for me in the past as well.

1 more reply

lancepioch4y ago

I swear I've tried it several times over several years. I've never gotten it to work.

NeoLaval4y ago

http://Gofile.io File sharing and storage platform, unlimited and free

rorykoehler4y ago

https://snapdrop.net/ is another

ctpide4y ago

We build a web app for e2ee file transfer:

https://arcano.app

puchatek4y ago

That website or yours should be its own hn article.

seriousquestion4y ago

Thanks, useful site!

timvisee4y ago

Maintainer here, thanks for posting!

Feel free to ask any questions.

Want to try it out? I've a public instance at: https://send.vis.ee/

Other instances: https://github.com/timvisee/send-instances/

A docker-compose template: https://github.com/timvisee/send-docker-compose

alexmcc814y ago

I was wondering why I recognised your name - you're the main developer of ffsend. Thanks for all the work! I really hope you get more people interested in maintaining and developing Send.

timvisee4y ago

Yes! Thanks! :)

1 more reply

Ameo4y ago

Hey - love this project! I was able to get an instance deployed with Nginx reverse proxy without too much trouble. Password encryption doesn't seem to be working, but that might be some weird header issue thing with the reverse proxy setup and I'm not too worried about it.

One thing I was wondering is if/how expired files are cleaned up. I uploaded a large file, set it to expire after 5 minutes, and although I can't download it anymore I see that it's still in the files directory on my server.

I glanced through the code, but I didn't see any mechanism for periodically purging expired files or anything like that. Is there something that I missed, or should I just set up a cron job or something to delete all files in that directory older than a week?

timvisee4y ago

> but I didn't see any mechanism for periodically purging expired files or anything like that. (...) should I just set up a cron job or something to delete all files in that directory older than a week?

You're right. Expired files that don't reach their download limit are kept on the server. Due to implementation details there is no 'nice' way to do this from Send itself. If using S3 as storage you can configure a LifeCycle Policy, if using raw disk storage you can set up a cron.

See an example here: https://github.com/timvisee/send-docker-compose/blob/master/...

All uploaded files have a prefixed number which defines the lifetime in days (e.g.: `7-abcdefg` for 7 days expiry). So you can be a little smarter with cleaning up.

I should describe this clearly in documentation.

1 more reply

newman3144y ago

Why does it say "We don't recommend using docker-compose for production."?

I'd like to understand the reasoning behind this. Thanks.

timvisee4y ago

Good question. I don't have very good reasoning for it, and I haven't put it there. I might need to remove it.

Someone asked this before, here is my answer (bottom quote): https://github.com/timvisee/send-docker-compose/issues/3#iss...

AdmiralAsshat4y ago

What level of logging/privacy can we expect from a self-hosted instance? I had faith in Mozilla's commitment to privacy, but I don't necessarily trust some random dude's AWS instance.

timvisee4y ago

> What level of logging/privacy can we expect from a self-hosted instance?

It really depends on who is hosting it.

Send itself doesn't really log anything except for errors. A reverse proxy in front of it might be used for an access log, which is default with the docker-compose template for it. Files are always encrypted on the client, and it or its keys are never seen on the server.

If you're wondering for the instance I've linked: it runs on Digital Ocean. I have an access log (IP per request, for 24h), I can list encrypted blobs and their metadata (creation time, size), and that's pretty much it.

NortySpock4y ago

Naïve question here, but is there a config setting that would work without HTTPS?

I run a home server just for internal use and it might be nice to send files via a link for memes, jokes, quick one-shot uses rather than storing it on a samba share, etc, but it doesn't have a public-facing URL for confirming a LetsEncrypt certificate.

timvisee4y ago

If you really don't want to use a certificate, just configure the base URL to be a http: address. That should work fine! Feel free to open an issue otherwise.

1 more reply

jclulow4y ago

You could self-sign a certificate, or if your internal URLs use a subdomain of a public domain you control you could use DNS challenges for Let's Encrypt.

SLWW4y ago

Have you had many issues with abuse?

For private instances could there be an option for requiring a login before upload?

timvisee4y ago

> Have you had many issues with abuse?

In the last year, I've had 1 DMCA request. And I've blocked one IP that was uploading half a terabyte.

> For private instances could there be an option for requiring a login before upload?

Not built-in, right now. But you can easily set up HTTP Basic Auth on a reverse proxy that you put in front of it.

alexmcc814y ago

Do you have any major new features in mind you would like to implement (assuming you had time + help)?

timvisee4y ago

I don't have anything planned.

But with infinite time, I'd:

- add some form of authentication, to limit uploads for example

- add a way to preview files on the Send page itself

- provide integrations with other platforms

- resolve outstanding issues

1 more reply

skavi4y ago

I was wondering where I had seen your name before, and then after scrolling through your GitHub, I realized it was your Advent of Code 2020 solutions in Rust. Those were absolutely beautiful.

timvisee4y ago

Thanks a bunch! That's awesome to read!

antaviana4y ago

How is end-to-end encryption achieved? By storing the password in the URL and not logging the URL when the file is fetched at the receiving end?

timvisee4y ago

Encryption is done with JavaScript on the client. The decryption key is attached as hash to the download URL on the client side as well.

When visiting the URL, the key never reaches the server because the hash-part of an URL is never sent and is a local-only thing. So there's no need to strip logging. The client downloads the encrypted blob, and decrypts it on the client.

More info: https://www.reddit.com/r/firefox/comments/lqegb5/reminder_th...

And: https://github.com/timvisee/ffsend#security

ev14y ago

#xxxx contents aren't sent to the server at all, if you trust the underlying javascript running in browser.

andredzOP4y ago

You are welcome (poster here :-)). And thanks to you for maintaining a great, and useful, piece of software. I recently needed something like Firefox Send that could have files uploaded for longer than 1 day but no more than 7 days and Send (and your public instance) was perfect for such task.

zie4y ago

Thanks for maintaining this! I just upgraded our local mozilla copy to your version, works great and was seamless!

carom4y ago

Thanks for doing this. I used Send regularly and miss it.

stavros4y ago

This is fantastic, well done! A very useful service, and I loved it when it was Firefox Send. I'll be sure to use this now.

mxuribe4y ago

@timvisee I have no questions, but just wanted to thank you for your work on this!!! Thank you, thank you, thank you!

timvisee4y ago

surround4y ago

An observation. This is the second time today we've had a submission link to github, even though the main repo is on gitlab (the first was https://news.ycombinator.com/item?id=27047243)

forgotpwd164y ago

How is ClearURLs' main repo on GitLab when their main site[0] links to both and their docs[1] link *only* to GitHub?

[0]: https://clearurls.xyz

[1]: https://docs.clearurls.xyz/latest/

Izkata4y ago

The README on the repo itself links to gitlab, including the "create an issue" link: https://github.com/ClearURLs/Addon/#contribute

1 more reply

fouric4y ago

This is excellent! I've been missing Firefox Send ever since they took it down.

However, it needs to be hosted somewhere.

...and if I'm going to be using a hosted service, I'd like the ability to easily pay for it (so that it doesn't eventually collapse or resort to shady things like ads), either though donations or microtransactions for bandwidth/storage.

Unfortunately, there's no good microtransaction service.

Wasn't Mozilla working on one? Where did that go?

...and thus, we've gone full circle.

And I'm typing this comment in a Chrome browser, because my company is migrating away from Firefox due to "security issues".

timvisee4y ago

This is a comment for my instance specifically, but you might find it nice to know:

The https://send.vis.ee/ is mostly funded by donations right now. I do not plan to take it down, unless the cost becomes a problem. I'll never resort to ads.

If this ever happens, I'll likely show a warning beforehand. Some time later I'll disable the upload page, and will take the rest of it down the week after. Files have a maximum lifetime of a week anyway. So if you discover this when uploading, you can simply switch to some other service. Existing links should not break.

There's a donation link on the bottom of the page (https://vis.ee/donate). But feel free to use it without a contribution.

U8dcN7vx4y ago

You can host your own Send, and the host need not exist when there's nothing you are sharing which is right in-line with utility computing as provided by "cloud" hosting companies like Amazon, Microsoft, Oracle, &c. Should be possible for under $5 for a month of Send operation provided low disk space suffices, say under 5GB. Perhaps not micro enough though.

fouric4y ago

Yes, the problem is that it's "not micro enough". The value of this service is low enough that it's not worth it for me to self-host, and the financial overhead of cloud providers is enough that it would cost far more for me to spin up a dedicated instance than pay someone for the fractional cost of usage of their instance.

More generally, I want the ability to make microtransactions (substitute "extremely low-friction donations" if you will) for everything that could be "free" but also costs money (bandwidth, compute, storage), because no matter how much free time I have, there will always be services that I could benefit from, but are low-enough-value that it's not worth it for me to self-host or get a cloud host myself.

circularfoyers4y ago

Did your company actually gives any details for those supposed security issues?

neuronic4y ago

Probably more related to financial security...

matham4y ago

Do you know what led Mozilla to stop this experiment (I'm assuming spam)? Will this not be an issue for your instances as well?

IainIreland4y ago

The announcement is here: https://support.mozilla.org/en-US/kb/what-happened-firefox-s...

Quick summary: it was being used for malware and phishing, aggravated by the trustworthy-seeming firefox.com URL.

simias4y ago

I think the shifting "product focus" is probably the main factor here, simply because such a service being used for malware hosting was completely predictable from day 1. When they started they probably thought that it was worth it, then later on they changed their mind. That or they were incredibly naive.

1 more reply

timvisee4y ago

They said they stopped due to spam, but there might be more to it because they also had quite a lot of layoffs that period. I don't know.

I can imagine spam being a problem with such a service with a well recognized brand name.

itake4y ago

This is self-hosted, so probably easier to apply security through obscurity.

redkoala4y ago

That means no security at all. Without a way to link files being hosted to identity or inspecting the contents of the files, there is no barrier to prevent spam and illegal files from being hosted.

Black1014y ago

they have a public instance... and just like Mozilla's version you can self-host... but either way we need more services like this.

1 more reply

gsich4y ago

Storage in S3 is not cheap.

Jhsto4y ago

After trying all these WebRTC options and the NAT traversal service (STUN, iirc) always being down, I ended up using IPFS instead. With public gateways from CloudFlare it is very easy to effectively drag and drop files and have them accessible via the IPFS-to-HTTPs gateway.

livre4y ago

For the rare times I have to do this I run a local server and the free version of CloudFlare argo tunnel. It provides an https url so the upload/download is safe from ISP snooping, there are also no size limits, you can send a 30GB file if you need to do that.

https://blog.cloudflare.com/a-free-argo-tunnel-for-your-next...

dennis-tra4y ago

https://share.ipfs.io/#/ is also very convenient for simple p2p file transfers.

spaniard892774y ago

How does this work. Does the file need to pass through a server before reaching the other end? or is it streaming directly between sender and receiver?

Also, does it need to put the whole file in RAM first?

1 more reply

TedDoesntTalk4y ago

Doesn’t IPFS have problems with persistence? IOW you can’t guarantee a file will be available?

Jhsto4y ago

There's two persistence types: pinned and unpinned files. Pinned files persist, but someone needs to seed them at least occasionally. Unpinned files get eventually garbage collected. If you want to share a file, you don't need to pin it if the recipient for example tells you when the download is complete. In this sense, all these WebRTC examples are more equivalent to unpinned files.

nkellenicki4y ago

As long as you keep your node up and running your content will never disappear. So if you just want to share files with friends I can see this working well - just keep your node available.

fireattack4y ago

Semi-related, but is GitHub's search by programming language feature broken on this repo?

I'm curious about "FreeMarker" being the top language so I clicked on it, surprisingly it returns zero code: https://github.com/timvisee/send/search?l=freemarker

So does "javascript": https://github.com/timvisee/send/search?l=javascript

emi2k014y ago

Search is disabled for forked repositories in github. It's better to create a new repo and push the code if you want a fork.

Search in original repo works: https://github.com/mozilla/send/search?l=javascript

circularfoyers4y ago

The other option too would be just to clone the repo locally and use grep, find, etc. That seems the simpler option if you just want to perform a search.

1 more reply

hojjat120004y ago

Naive question: The github page says 62% of the languages used in this repo is FreeMarker. I checked the repo and every file I look at is js, what and where is FreeMarker?

niea_114y ago

I can't find any freemarker templates on the project, but apparently it's using i18n files with an ".ftl" extension which is the default extension for freemarker templates.

Ex: https://github.com/timvisee/send/blob/master/public/locales/...

sciurus4y ago

Yeah, those files are for https://projectfluent.org/

timvisee4y ago

I don't know. Have been asking myself the same question the past month.

TheDong4y ago

I think it's the locale files, like this one: https://github.com/timvisee/send/blob/master/public/locales/...

If you look at github/linguist, that's what recognizes languages in repos. It has this rule for FreeMarker: https://github.com/github/linguist/blob/32ec19c013a7f81ffaee...

It seems a .ftl extension means FreeMarker to linguist, so those localizations show up as such.

1 more reply

chungy4y ago

GitHub's language "detection" is ridiculously naïve and basically limited to examining file names only, not content.

voiper14y ago

I'm liking croc with a CLI on each end.

psanford4y ago

croc just had multiple major vulnerabilities discovered that required protocol breaking changes to fix: https://redrocket.club/posts/croc/

anaganisk4y ago

So fixed right?

2 more replies

neodymiumphish4y ago

I know everybody's posting tons of alternatives already, but I'm curious why https://transfer.sh isn't included. It has very simple instructions for encrypting against a recipient's Keybase GPG key, works from the site or command line, and has 14 days of retention.

Just curious, since I keep seeing Wormhome mentioned, but I never seem to see anyone mention Transfer (unless it's just a lesser known option and I happened to hear of it early).

andredzOP4y ago

There's also a CLI for Send (ffsend): https://github.com/timvisee/ffsend

pornel4y ago

The big advantage of Firefox Send was that it was hosted by Mozilla, and I could trust that Mozilla wouldn't have any backdoor in the service.

When the same project is hosted by someone that I don't know, I can't be sure that they won't modify it to peek at the files (I'm not going to perform a full code audit on every page load).

tym04y ago

Is there a way to use ffsend if I drop some basic auth in front of the upload?

timvisee4y ago

Yes! `ffsend upload --basic-auth USER:PASS FILE`

Macha4y ago

It would be nice to set arbitrary (or at least Bearer) Auth tokens too in case you put it behind some oauth enforcing gateway like authelia

NeoLaval4y ago

https://blaze.vercel.app/

SubiculumCode4y ago

I'd like to set this up one up of my own servers...

Black1014y ago

Best HN post in months...

cassepipe4y ago

Oh, I forgot about that one. Yet another Mozilla project that worked well that was abandoned. (Remember Firefox OS? https://killedbymozilla.com/) I know what you're thinking : They did not abandon Rust ! Well I just learned from a post that recently made it to the HN front page that management was considering dropping Rust. The only reason they did not was because of someone who fought hard for it.

dralley4y ago

It wasn't "abandoned" it was shut down because it was being used by malicious parties to deliver malware, and worse.

cassepipe4y ago

Can't any cloud storage service be used to deliver malware?

1 more reply

j / k navigate · click thread line to collapse

141 comments

kickscondor4y ago

Some other WebRTC file transfer options:

* https://wormhole.app/ (my recent fave, by creator of WebTorrent, holds for 24h, https://instant.io by same)

* https://file.pizza/ (p2p, nothing stored)

* https://webwormhole.io/ (same, but has a cli)

* https://www.sharedrop.io/ (same, does qr codes)

* https://justbeamit.com/ (same, expires in 10 minutes)

* https://send.vis.ee (hosted version of this code)

* https://send.tresorit.com/ (not p2p, 5 GB limit, encrypted)

I track these tools here: https://href.cool/Web/Participate/

carbonatedmilk4y ago

love Wormhole, but that animated background chews up an incredible amount of battery power on my M1 Macbook Air (even when the tab is in the background). Please wormhole crew, turn it off.

feross4y ago

We recently made a one-line change that massively reduced GPU usage, specifically:

- Intel integrated graphics: 60% reduction

- AMD Radeon: 40% reduction

- Apple M1: 10% reduction

What was the change? We removed "opacity: 85%" from the <canvas> element. We were using opacity to slightly darken the animation but now we just darken the texture image directly.

1 more reply

Farow4y ago

You can "hide" it with uBlock Origin by blocking large media elements in the popup.

1 more reply

pimterry4y ago

2 more replies

FriedrichN4y ago

Set webgl.disabled to true if you're using Firefox.

BiteCode_dev4y ago

And if you have a sucky connection, it's slow has hell to load.

1 more reply

arafatamim4y ago

Turn on "reduced motion" setting on your Mac.

FounderBurr4y ago

Wouldn’t it be easier for you to manage what you expend your battery on?

1 more reply

iagovar4y ago

Hmmm, it seems like https://webwormhole.io/ has changed from last time I used it. https://wormhole.app/ seems more similar to what I remembered as frontend.

WebRTC services seem to have problems to get up to speed, but for streaming files between devices it seems the best solution in terms of friction.

lxgr4y ago

The speed problems interestingly seem to be caused by a bug in an implementation of SCTP used by most (all?) WebRTC browser implementations:

https://github.com/saljam/webwormhole/issues/55

1 more reply

dennis-tra4y ago

I‘ve also built a file transfer tool (CLI) with emphasis on decentralization. It’s a fully decentralized p2p file transfer tool based on libp2p:

https://github.com/dennis-tra/pcp

I‘m currently trying to make it interoperable with https://share.ipfs.io/#/ which resembles the functionality of the posted tool.

kickscondor4y ago

Seems very similar to 'hyp beam': https://github.com/hypercore-protocol/cli

dschep4y ago

kickscondor4y ago

Ah neat! I've added all of the links in the comments here to my list - great to see what's out there and to combine our collections.

fckthisguy4y ago

Dumbdo4y ago

There's also https://github.com/schollz/croc which is a very simple P2P CLI transfer tool.

fljsdflsdfjdslf4y ago

Missing https://dropbox.com/transfer

ehsankia4y ago

Is that using WebRTC, or are they hosting the files on their backend?

elliebike4y ago

I’m a fan of Kipp! Not p2p, but has optional encryption

https://kipp.6f.io/

ca98am794y ago

I made these:

https://file.io

https://temporary.pw

Ansil8494y ago

> I track these tools

How frequently do you validate that they are still functional?

I tried File Pizza several months ago, and neither I nor the recipient could get it to work.

kickscondor4y ago

1 more reply

lancepioch4y ago

I swear I've tried it several times over several years. I've never gotten it to work.

NeoLaval4y ago

http://Gofile.io File sharing and storage platform, unlimited and free

rorykoehler4y ago

https://snapdrop.net/ is another

ctpide4y ago

We build a web app for e2ee file transfer:

https://arcano.app

puchatek4y ago

That website or yours should be its own hn article.

seriousquestion4y ago

Thanks, useful site!

timvisee4y ago

Maintainer here, thanks for posting!

Feel free to ask any questions.

Want to try it out? I've a public instance at: https://send.vis.ee/

Other instances: https://github.com/timvisee/send-instances/

A docker-compose template: https://github.com/timvisee/send-docker-compose

alexmcc814y ago

I was wondering why I recognised your name - you're the main developer of ffsend. Thanks for all the work! I really hope you get more people interested in maintaining and developing Send.

timvisee4y ago

Yes! Thanks! :)

1 more reply

Ameo4y ago

timvisee4y ago

See an example here: https://github.com/timvisee/send-docker-compose/blob/master/...

All uploaded files have a prefixed number which defines the lifetime in days (e.g.: `7-abcdefg` for 7 days expiry). So you can be a little smarter with cleaning up.

I should describe this clearly in documentation.

1 more reply

newman3144y ago

Why does it say "We don't recommend using docker-compose for production."?

I'd like to understand the reasoning behind this. Thanks.

timvisee4y ago

Good question. I don't have very good reasoning for it, and I haven't put it there. I might need to remove it.

Someone asked this before, here is my answer (bottom quote): https://github.com/timvisee/send-docker-compose/issues/3#iss...

AdmiralAsshat4y ago

What level of logging/privacy can we expect from a self-hosted instance? I had faith in Mozilla's commitment to privacy, but I don't necessarily trust some random dude's AWS instance.

timvisee4y ago

> What level of logging/privacy can we expect from a self-hosted instance?

It really depends on who is hosting it.

NortySpock4y ago

Naïve question here, but is there a config setting that would work without HTTPS?

timvisee4y ago

If you really don't want to use a certificate, just configure the base URL to be a http: address. That should work fine! Feel free to open an issue otherwise.

1 more reply

jclulow4y ago

You could self-sign a certificate, or if your internal URLs use a subdomain of a public domain you control you could use DNS challenges for Let's Encrypt.

SLWW4y ago

Have you had many issues with abuse?

For private instances could there be an option for requiring a login before upload?

timvisee4y ago

> Have you had many issues with abuse?

In the last year, I've had 1 DMCA request. And I've blocked one IP that was uploading half a terabyte.

> For private instances could there be an option for requiring a login before upload?

Not built-in, right now. But you can easily set up HTTP Basic Auth on a reverse proxy that you put in front of it.

alexmcc814y ago

Do you have any major new features in mind you would like to implement (assuming you had time + help)?

timvisee4y ago

I don't have anything planned.

But with infinite time, I'd:

- add some form of authentication, to limit uploads for example

- add a way to preview files on the Send page itself

- provide integrations with other platforms

- resolve outstanding issues

1 more reply

skavi4y ago

I was wondering where I had seen your name before, and then after scrolling through your GitHub, I realized it was your Advent of Code 2020 solutions in Rust. Those were absolutely beautiful.

timvisee4y ago

Thanks a bunch! That's awesome to read!

antaviana4y ago

How is end-to-end encryption achieved? By storing the password in the URL and not logging the URL when the file is fetched at the receiving end?

timvisee4y ago

Encryption is done with JavaScript on the client. The decryption key is attached as hash to the download URL on the client side as well.

More info: https://www.reddit.com/r/firefox/comments/lqegb5/reminder_th...

And: https://github.com/timvisee/ffsend#security

ev14y ago

#xxxx contents aren't sent to the server at all, if you trust the underlying javascript running in browser.

andredzOP4y ago

zie4y ago

Thanks for maintaining this! I just upgraded our local mozilla copy to your version, works great and was seamless!

carom4y ago

Thanks for doing this. I used Send regularly and miss it.

stavros4y ago

This is fantastic, well done! A very useful service, and I loved it when it was Firefox Send. I'll be sure to use this now.

mxuribe4y ago

@timvisee I have no questions, but just wanted to thank you for your work on this!!! Thank you, thank you, thank you!

timvisee4y ago

surround4y ago

An observation. This is the second time today we've had a submission link to github, even though the main repo is on gitlab (the first was https://news.ycombinator.com/item?id=27047243)

forgotpwd164y ago

How is ClearURLs' main repo on GitLab when their main site[0] links to both and their docs[1] link *only* to GitHub?

[0]: https://clearurls.xyz

[1]: https://docs.clearurls.xyz/latest/

Izkata4y ago

The README on the repo itself links to gitlab, including the "create an issue" link: https://github.com/ClearURLs/Addon/#contribute

1 more reply

fouric4y ago

This is excellent! I've been missing Firefox Send ever since they took it down.

However, it needs to be hosted somewhere.

Unfortunately, there's no good microtransaction service.

Wasn't Mozilla working on one? Where did that go?

...and thus, we've gone full circle.

And I'm typing this comment in a Chrome browser, because my company is migrating away from Firefox due to "security issues".

timvisee4y ago

This is a comment for my instance specifically, but you might find it nice to know:

The https://send.vis.ee/ is mostly funded by donations right now. I do not plan to take it down, unless the cost becomes a problem. I'll never resort to ads.

There's a donation link on the bottom of the page (https://vis.ee/donate). But feel free to use it without a contribution.

U8dcN7vx4y ago

fouric4y ago

circularfoyers4y ago

Did your company actually gives any details for those supposed security issues?

neuronic4y ago

Probably more related to financial security...

matham4y ago

Do you know what led Mozilla to stop this experiment (I'm assuming spam)? Will this not be an issue for your instances as well?

IainIreland4y ago

The announcement is here: https://support.mozilla.org/en-US/kb/what-happened-firefox-s...

Quick summary: it was being used for malware and phishing, aggravated by the trustworthy-seeming firefox.com URL.

simias4y ago

1 more reply

timvisee4y ago

They said they stopped due to spam, but there might be more to it because they also had quite a lot of layoffs that period. I don't know.

I can imagine spam being a problem with such a service with a well recognized brand name.

itake4y ago

This is self-hosted, so probably easier to apply security through obscurity.

redkoala4y ago

That means no security at all. Without a way to link files being hosted to identity or inspecting the contents of the files, there is no barrier to prevent spam and illegal files from being hosted.

Black1014y ago

they have a public instance... and just like Mozilla's version you can self-host... but either way we need more services like this.

1 more reply

gsich4y ago

Storage in S3 is not cheap.

Jhsto4y ago

livre4y ago

https://blog.cloudflare.com/a-free-argo-tunnel-for-your-next...

dennis-tra4y ago

https://share.ipfs.io/#/ is also very convenient for simple p2p file transfers.

spaniard892774y ago

How does this work. Does the file need to pass through a server before reaching the other end? or is it streaming directly between sender and receiver?

Also, does it need to put the whole file in RAM first?

1 more reply

TedDoesntTalk4y ago

Doesn’t IPFS have problems with persistence? IOW you can’t guarantee a file will be available?

Jhsto4y ago

nkellenicki4y ago

As long as you keep your node up and running your content will never disappear. So if you just want to share files with friends I can see this working well - just keep your node available.

fireattack4y ago

Semi-related, but is GitHub's search by programming language feature broken on this repo?

I'm curious about "FreeMarker" being the top language so I clicked on it, surprisingly it returns zero code: https://github.com/timvisee/send/search?l=freemarker

So does "javascript": https://github.com/timvisee/send/search?l=javascript

emi2k014y ago

Search is disabled for forked repositories in github. It's better to create a new repo and push the code if you want a fork.

Search in original repo works: https://github.com/mozilla/send/search?l=javascript

circularfoyers4y ago

The other option too would be just to clone the repo locally and use grep, find, etc. That seems the simpler option if you just want to perform a search.

1 more reply

hojjat120004y ago

Naive question: The github page says 62% of the languages used in this repo is FreeMarker. I checked the repo and every file I look at is js, what and where is FreeMarker?

niea_114y ago

I can't find any freemarker templates on the project, but apparently it's using i18n files with an ".ftl" extension which is the default extension for freemarker templates.

Ex: https://github.com/timvisee/send/blob/master/public/locales/...

sciurus4y ago

Yeah, those files are for https://projectfluent.org/

timvisee4y ago

I don't know. Have been asking myself the same question the past month.

TheDong4y ago

I think it's the locale files, like this one: https://github.com/timvisee/send/blob/master/public/locales/...

If you look at github/linguist, that's what recognizes languages in repos. It has this rule for FreeMarker: https://github.com/github/linguist/blob/32ec19c013a7f81ffaee...

It seems a .ftl extension means FreeMarker to linguist, so those localizations show up as such.

1 more reply

chungy4y ago

GitHub's language "detection" is ridiculously naïve and basically limited to examining file names only, not content.

voiper14y ago

I'm liking croc with a CLI on each end.

psanford4y ago

croc just had multiple major vulnerabilities discovered that required protocol breaking changes to fix: https://redrocket.club/posts/croc/

anaganisk4y ago

So fixed right?

2 more replies

neodymiumphish4y ago

Just curious, since I keep seeing Wormhome mentioned, but I never seem to see anyone mention Transfer (unless it's just a lesser known option and I happened to hear of it early).

andredzOP4y ago

There's also a CLI for Send (ffsend): https://github.com/timvisee/ffsend

pornel4y ago

The big advantage of Firefox Send was that it was hosted by Mozilla, and I could trust that Mozilla wouldn't have any backdoor in the service.

When the same project is hosted by someone that I don't know, I can't be sure that they won't modify it to peek at the files (I'm not going to perform a full code audit on every page load).

tym04y ago

Is there a way to use ffsend if I drop some basic auth in front of the upload?

timvisee4y ago

Yes! `ffsend upload --basic-auth USER:PASS FILE`

Macha4y ago

It would be nice to set arbitrary (or at least Bearer) Auth tokens too in case you put it behind some oauth enforcing gateway like authelia

NeoLaval4y ago

https://blaze.vercel.app/

SubiculumCode4y ago

I'd like to set this up one up of my own servers...

Black1014y ago

Best HN post in months...