• peregus@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    16 days ago

    Send lets you share files with end-to-end encryption

    How is this possible if the only thing that is shared between sender and receiver is just a link (that is provided by the website)?

    How can we trust https://send.vis.ee/? Who are they?

    • RmDebArc_5@sh.itjust.works
      link
      fedilink
      arrow-up
      9
      ·
      16 days ago

      How it works: I don’t know about this service in particular, but usually the shared contains the encryption key so like this: example.com/files/file_id/encryption_key or something similar

      As for trust: This appears to be a individual, so you will have to just trust it when using the public instance. However, since it is FOSS, you can audit the code and spin up your own instance

      • peregus@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        16 days ago

        How it works: I don’t know about this service in particular, but usually the shared contains the encryption key so like this: example.com/files/file_id/encryption_key or something similar

        But if the key is in the URL, that’s provided by the server, where’s the utility of the encryption since the server knows it and so does everyone that has the URL?

        • flux@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          16 days ago

          So the trick is to use the #fragment part of the URL, that is not sent to the server.

          Of course the JS one downloads from the server could easily upload it to it, so you still need to trust the JS.

          • peregus@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            16 days ago

            But the JS code could be checked on the webpage, correct? If so, the page could be trysted (if vetted).

            • flux@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              15 days ago

              In theory, yes. But if you follow the link and that leads to downloading the JS and running it, you’re already too late inspecting it.

              And even if you review it once (and it wasn’t too large or obfuscated via minification), the next time you load a page, the JS can be different. I guess there could be a web browser extension for pinning the code?

              The only practial alternative I know of is to have a local client you can review once (and after updates).

  • youmaynotknow@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    16 days ago

    This is cool. If you’re worried about the safety on their instance, spin your own. They have a very clear and simple docker way to do just that.