White Paper
Some more information on the technical details of how Secure Transfer Link works.
Flows
These are currently simplified versions to give an overview
Generate links flow
Upload flow
Download flow
Cryptography
For all cryptography related parts we make use of the browser SubtleCrypto web api.
Files are encrypted using AES-GCM with a 256 bits key. This key is derived from the uploader and downloader Public/Private key pair using ECDH (Elliptic Curve Diffie-Hellman).
Links
The links are generated in the following format:
https://app.securetransfer.link/upload/{UUID}
https://app.securetransfer.link/download/{UUID}#{BASE64_PRIVATE_KEY}
By using a # instead of a query parameter we avoid sending this base64 encoded private key to the server.
Concerns & Limitations
Because we are using the SubtleCrypto web api we can't easily support streaming/chunked encryption. Meaning we for now are limited to the maximum file size due to being memory constrained.
Optionally storing encryption keys in the browser local/session storage makes us susceptible to XSS attacks.
We could consider adding a layer of key derivation by adding HKDF in the mix.
Because we use AES-GCM we are limited (without rolling some form of chunking) to 64GB files.