Remove the statement about Send's official instance

anonymous261 · May 14, 2025, 3:06am

Send’s official instance will be terminated by May 24.

Could Privacy Guides plan on hosting an instance?

KevPham · May 14, 2025, 3:35pm

This seems like an easy of enough change. All in favor for it personally

jonah · May 14, 2025, 3:37pm

Costs are getting too high to keep hosting this service.

I wonder what their costs actually are?

Weewaawoo · May 15, 2025, 2:31am

Maybe a link to the official list of public instances instead?

Edit: scratch this idea. There dev notes that there is no way to verify the instances for security/privacy. The best option is for another trusted group to fill the void or of course self hosting.

jonah · May 15, 2025, 2:58am

I think ultimately all of these instances will fall to the original reason Firefox Send was discontinued:

Unfortunately, some abusive users were beginning to use Send to ship malware and conduct spear phishing attacks. This summer we took Firefox Send offline to address this challenge.

redoomed1 · May 15, 2025, 3:54am

github.com/privacyguides/privacyguides.org

update: Remove mentions of Send's defunct official instance

main ← send-and-instances

opened 03:17AM - 15 May 25 UTC

redoomed1

+65 -50

List of changes proposed in this PR: - Send - Remove mentions of Send's of…ficial instance as it will be terminated by May 24 - Relevant discussion: https://discuss.privacyguides.net/t/remove-the-statement-about-sends-official-instance/27564 - Link to the project's repository instead of the defunct official instance for the card's primary button - Document Collaboration page - Mention CryptPad's official public instance and add button that links to list of public instances - Frontends page - Move the admonition about Old Reddit from under the Redlib card to under the "Reddit" header since it's not directly related to Redlib - General Changes - Move lines about public instances and more technical information to the description under recommendation cards based on [this feedback](https://github.com/privacyguides/privacyguides.org/pull/3032#discussion_r2087450680) and to keep card descriptions succinct - Spell out abbreviations like "E2EE" for the first instance of the term on the page, then use the abbreviation for the subsequent instances - For "Repository" buttons, embed direct links to project's Readme to differentiate them from "Source Code" links

Niek-de-Wilde · May 15, 2025, 7:07am

This is why we cannot have nice things.

jonah · May 15, 2025, 1:21pm

We need to look into whether using the ffsend CLI tool eliminates the need to trust the instance, because if that tool performs the encryption before upload the risk is very reduced.

any1 · May 16, 2025, 7:15am

ffsend uses client side encryption, to ensure your files are securely encrypted before they are uploaded to the remote host. This makes it impossible for third parties to decrypt your file without having the secret (encryption key). The file and its metadata are encrypted using 128-bit AES-GCM , and a HMAC SHA-256 signing key is used for request authentication. This is consistent with the encryption documentation provided by the Send service, ffsend is a tool for.

Taken from here.

Weewaawoo · May 17, 2025, 3:42pm

But anyone with the url can decrypt the file which would mean the server stores the private key. This wouldn’t be e2ee and would still require trust of the server. As far as the “optional” password it sounds like this happens outside of the encryption. Does it wrap it in another layer of encryption or just an another wall?

any1 · May 23, 2025, 6:23pm

Sorry for the late reply. If one only uses the command line ffsend tool without visiting the hosted instance, the instance never gets the encryption secret, which is stored behind the hash of the URL that can be shared. Using the hosted instance with the website instead of the ffsend command line tool is prone to interception of the encryption secret if the instance has modified the website’s source to steal it. Using only the ffsend command line tool is safe regardless of the instance used because even a malicious instance never gets the encryption key.

TL;DR: ffsend command line tool is safe regardless if instance is malicious.

Source

Weewaawoo · May 23, 2025, 9:38pm

This is excellent news. Thanks for explaining.

redoomed1 · May 28, 2025, 1:47am

The official instance now shows a termination date of June 7th.

Following the information provided by @any1, I think we can do more than just remove the statement about Send’s official instance:

Topic		Replies	Views
Add Send (Firefox Send fork) to the File Sharing and Sync Page Tool Suggestions completed	26	2049	November 13, 2022
Remove Send Tool Suggestions rejected	3	526	January 22, 2024
Mention services server code availability Site Development	2	175	November 29, 2024
Recommend specific Frontends instances Site Development	7	789	January 13, 2025
PrivacyGuides Offline? (Back Online Now!) Meta other	11	475	November 16, 2024

Remove the statement about Send's official instance

Related topics