That's essentially how mega.io works. The browser encrypts before upload, and the key is added to the download URL. When downloading, the browser uses the key in the URL for local decryption.
The intention is for them to have no access to or knowledge of file contents. Since the key is the URL, and URLs are generally sent to the server by the browser, Mega could (presumably) get the keys when someone follows the download link.
I believe removing the key from the URL still works, the site just prompts for it when needed, but that could also make its way to Mega if they ever decided they wanted it. It seems like a decent approach for ease of use, but has some weaknesses if security is the main goal. Encrypting separately before upload is still a very good idea if it matters for whatever reason.
The key is in the part of the URL after the #, which currently is never sent to servers in any browser, but I suppose that could change.
The more secure method IMO to using the web client (which could have malicious JS pushed to it at any time), would be to use a standalone mega client that you control the source to and can verify yourself.
Seems interesting. With a file limit as high as 300 gigabytes, I assume the only way they’re able to afford hosting it is because they don't have many users, so I wouldn’t expect this site to stay around for very long. I’ve seen many similar websites come and go over the years.
Interesting as maybe a side project to learn about how the ecosystem works and I like the idea of upload it’s a torrent, not sure I’ve seen that before.
I have to ask though, how are you supporting such large file sizes for free?
12 comments
[ 3.2 ms ] story [ 40.5 ms ] threadI wonder if this kind of service could be implemented without needing to trust the host at all?
https://securesha.re/
The intention is for them to have no access to or knowledge of file contents. Since the key is the URL, and URLs are generally sent to the server by the browser, Mega could (presumably) get the keys when someone follows the download link.
I believe removing the key from the URL still works, the site just prompts for it when needed, but that could also make its way to Mega if they ever decided they wanted it. It seems like a decent approach for ease of use, but has some weaknesses if security is the main goal. Encrypting separately before upload is still a very good idea if it matters for whatever reason.
The more secure method IMO to using the web client (which could have malicious JS pushed to it at any time), would be to use a standalone mega client that you control the source to and can verify yourself.
I have to ask though, how are you supporting such large file sizes for free?