For years, businesses and governments have used secure file transfer to send sensitive files across the Internet. Their methods included virtual private networks, secure encrypted file transfer (sftp and ftps), and transfers of secure / encrypted files. Today, the “gold standard” probably includes all three of these techniques simultaneously.
But personal file transfer has been quite different. Most people simply attach an un-encrypted file to an email message that is then sent across an un-encrypted email infrastructure. Sometimes, people place an un-encrypted file on a USB stick. These people perform a ‘secure file transfer’ by handing the USB stick to a known (and trusted) recipient. More recently, secure file transfers could be characterized by trusting a third-party data hosting provider. For many people, these kinds of transfers are secure enough.
Are Personal File Transfers Inherently Secure
These kinds of transfers are NOT inherently secure.
- In the case of email transfers, the only ‘secure’ element might be a user/password combination on the sender or receiver’s mailbox. Hence, the data may be secure while at rest. But Internet email is completely insecure while in transit. Some enterprising people have exploited secure messages (by using tools like PGP/GPG). Others have secured their SMTP connections across a VPN – or an entirely private network. Unfortunately, email is notorious for being sent across numerous relays – any one of which could forward messages insecurely or even read un-encrypted messages. And there is very little validation performed on email metadata (e.g., no To: or From: field validation).
- Placing a file on a USB stick is better than nothing. But there are a few key problems when using physical transfer. First, you have to trust the medium that is being used. And most USB devices can be picked up and whisked away without their absence even being noticed. Yes, you can use encryption to provide protection while the data is on the device. But most folks don’t do this. Second, even if the recipient treats the data with care, the data itself remains on an inherently mobile (and inherently less secure) medium.
- Fortunately, modern users have learned not to use email and not to use physical media for secure file transfer. Instead, many people choose to use a cloud-based file hosting service. These services require logins to access the data. And some of these services even encrypt files while on their storage arrays. And if you’re really thorough when selecting your service provider, secure end-to-end transmission of your data may also be available. Of course, the weakest point of securing such transfers is the service provider. Because the data is at rest in their facility, they would have the availability to compromise the data. So this model requires trusting a third-party to protect your assets. Yes, this is just like a bank that protects your demand deposits. But if you aren’t paying for a trustworthy partner, then don’t be surprised if they find some other means to monetize you and your assets.
What Are The Characteristics of Secure File Transfers?
Secure file transfers should have the following characteristics:
- The data being transferred should be encrypted by the originator and decrypted by the recipient.
- Both the originator and the recipient should be authenticated before access is granted – either to the secure transport mechanism or to the data itself.
- All data transfers must be secured from the originator to the recipient.
- If possible, there should be no points of relay between the originator and the recipient OR there should be no requirements for a third-party to store and forward the complete message.
What Is Your Threat Model?
Are all of these characteristics required? The paranoid security analyst within me says, “Of course they are all required.” That same paranoid person would also add requirements concerning the strength of all of the ciphers that are to be used as well as the use of multi-factor authentication. But the requirements that you have should be driven by the threats that you are trying to mitigate – not by the coolest or most lauded technologies.
For most people, the threat that they are seeking to mitigate is one or more of the following: a) the seizure and exploitation of data by hackers, b) the seizure and exploitation of data by ruthless criminals and corporations, or c) the seizure and exploitation of data by an obsessive (and/or adversarial) governmental authority – whether foreign or domestic. Of course, some people are trying to protect against corporate espionage. Others are seeking to protect against hostile foreign actors. But for the sake of this discussion, I will be focusing upon the threat model encountered by typical Internet users.
Typical Threats For The Common American Family
While some of us do worry about national defense and corporate espionage, most folks are just trying to live their lives in obscurity – free to do the things that they enjoy and the things that they are called to do. They don’t want some opportunistic thief stealing their identity – and their family’s future. They don’t want some corporation using their browsing and purchasing habits in order to generate corporate ad revenue. And they don’t want a government that could obstruct their freedoms – even if it was meant in a benign (but just) cause.
So what does such a person need in a secure file transfer capability? First, they need file transfers to be encrypted – from their desk to the desk of the ultimate recipient. Second, they don’t want to “trust” any third-party to keep their data “safe”. Third, they want something that can use the Internet for transport – but do so in relative safety.
Enter Onionshare
It is rather complex to easily – and securely – share files across the Internet. It can be done easily – via email, ftp, and cloud servers. It can be done reasonably securely – via encrypted email, secure ftp, p2p (e.g., BitTorrent), and even secure cloud services. But all of these secure solutions are relatively difficult to implement. What is needed is a simple tool. Onionshare is just such a tool.
Onionshare was developed by Micah Lee in 2014. It is an application that sets up a hidden service on the TOR network. TOR is a multi-layered encryption and routing tool that was originally developed by the Department of the Navy. Today, it is the de facto reference implementation for secure, point-to-point connections across the Internet. And while it is not a strictly anonymous service, it offer a degree of anonymity that is well beyond the normal browsing experience. For a detailed description of Tor, take a look here. And for one of my first posts about TOR, look here.
Onionshare sets up a web server. It then establishes that server as a .onion service on the TOR network. The application then generates a page (and a URL) for that service. This URL points to a web page with the file(s) to be transferred. The person hosting the file(s) can then securely send the thoroughly randomized URL to the recipient. Once the recipient receives the URL, the recipient can download the file(s). After the secure file transfer is completed, the service is stopped – and the file(s) no longer available on TOR.
Drawbacks
This secure file transfer model has a few key weaknesses. First and foremost, the URL that is presented must be sent securely to the recipient. This can be done via secure email (e.g., ProtonMail to ProtonMail) or via secure IM (e.g., Signal). But if the URL is sent via insecure methods, the data could be potentially hijacked by a hostile actor. Second, there is no authentication that is performed when the ‘recipient’ connects to the .onion service. Whoever first opens that URL in a TOR browser can access (and later delete) the file(s). So the security of the URL link is absolutely paramount. But as there are no known mechanisms to index hidden .onion servers, this method is absolutely sufficient for most casual users who need to securely send sensitive data back-and-forth.
Bottom Line
If you want to securely send documents back-and-forth between yourself and other individuals, then Onionshare is a great tool. It works on Windows, MacOS, and a variety of Linux distros. And the only client requirement to use the temporary .onion server is a TOR-enabled browser. In short, this is about as ‘fire and forget’ as you could ever expect to find.