The Evils of Encryption
People who know me know that I am always railing against people who want to curb encryption, but encryption does present legitimate problems.
Firefox Send is a great program that allows users to encrypt data – large files – and send a link to a recipient to allow them to download the file. I use it regularly. Well, I used to.
This week Mozilla shut it down – hopefully temporarily – while they figure out a solution. What is the problem?????
The service presents several problems; here are a couple.
For example, you can set Send to delete the file after ONE download. That means that investigators who want to look at it to figure out its origin can’t cuz it is gone.
Firefox URLs are typically trusted inside organizations, so in the name of efficiency, they might not be scanned.
Gangs don’t have to figure out an anonymous way to deliver payloads – even big ones. Firefox does it for them.
Files can be password protected making it impossible for man in the middle corporate decryption to scan the files.
While Mozilla is being a good corporate citizen and took the service down until they can figure out how to deal with some of these issues, they are not issues limited to Send. Any file transfer service with similar features is equally vulnerable.
At the corporate level, one solution is easy. Consider Send malicious (even when it isn’t) and block it via a deny-list or firewall rule. Kind of heavy handed. Of course you have to do this for every single competitor of Send.
Also of course, you then need to give users an approved alternative.
It would also seem that you can get your arms around this by always scanning Send attachments.
None the less, apparently it is enough of a magnet for hackers that Firefox shut it down.
Is your organization safe from this type of attack? I suggest you take steps now before it is used against you. Credit: ZDNet