How does sending files work?
When you send files, they are encrypted in your browser before being uploaded to our servers. With Hexiosec Transfer your files never leave your computer unencrypted, and are never copied or stored unencrypted.
After encrypting and uploading is complete, you'll get a download link that you can share with your recipients so they can easily get the files.
Only the recipients receive this full link to download and decrypt the files. They have to download the files before the link expires. You can cancel links at any point.
How does transfer work if Hexiosec don't ever see the keys?
The full sharing link includes the file location and the decryption keys, and only someone with this full link can download the files.
The key is generated in your device's web browser, and is never sent to us—not even when the recipient clicks the link to download and decrypt the files.
Can I apply additional controls?
Yes. With Hexiosec Transfer you can apply additional controls when uploading or requesting files. Depending on the version you have, you can also set:
- The number of times a file can be downloaded.
- How long the file is retained before it expires.
- An additional password required to decrypt the files, in addition to the link, as a form of two‑factor authentication. Of course, it's crucial that the password is shared separately to the link.
- Email verification, which requires the named recipients to verify their email address before downloading the files.
When the file expires, either because the duration or number of downloads expires, it is automatically deleted from our servers and is gone forever.
How does requesting a file work?
As well as using Transfer to securely send files, it can also be used to request files. And, like sharing, the recipient of the request does not need a Transfer account.
To receive a file you generate an sharing request, which creates a unique link to be shared with the person who has the files to send to you. With the sharing request link they can send files to you with full end-to-end encryption.
When the sender has used the sharing request link to send files to you, the files will be available in your Hexiosec Transfer inbox, and are decrypted using your key.
Is it secure?
At all points during a transfer, including when on our servers, the files are encrypted using keys that only you hold.
Only you can view the details of files or sharing requests you have already shared. Once a file or sharing request is expired, the keys in your browser are also removed. For those who want the gory details:
- The files are all end-to-end encrypted, using AES-256 in Galois Counter Mode (GCM).
- Encryption key derivation uses PBKDF2 and HKDF. AES key wrap is used to protect your local keys.
- When you send file sharing requests, the encryption keys are themselves negotiated using ECDH and NIST curve P-384.
- Your browsing traffic is encrypted using TLS versions 1.2 or 1.3
Remember: end-to-end encryption means that we cannot access your files, only your recipients can.
Is Hexiosec Transfer similar to Firefox Send?
Hexiosec Transfer was inspired by Firefox Send, but we've taken it much further.
Firefox Send was a great file sharing application from the Mozilla Foundation, but as detailed on their blog, it had to be closed down as it was frequently being used for malicious purposes—primarily due to its anonymity.
We've started with their approach, added authentication (thus removing the anonymity), built in more features, and improved security.
There are three source files in Hexiosec Transfer that have come from the original Firefox Send project. As per their license agreement, we have made these files available here.
