Send Files Securely was built utilizing the latest security practices and standards to provide a secure way in which files can be sent over the Internet without the need of the sender or receiver to install or configure any software. This page will briefly describe some of these specific security details.
Encryption and Hashing
As stated throughout the site, every file is encrypted using AES encryption with a 256-bit key. Keys are never stored. User-submitted file passwords are never stored. If a password is provided with an uploaded file, then nobody can view your encrypted file since the password is required to generate the key which encrypts/decrypts the file. Since passwords are optional, if no password is provided upon upload, then the Send Files Securely system will use its own random password to create the key. Although a file uploaded without a password is still encrypted using the same strength of encryption, the most secure option is for users to provide their own secure password from which the key will be created.
The key used for file encryption is created by using the PBKDF2 function which takes the password and a unique salt value and iterates through its processing at least 20,000 times to produce the derived key. Unique salts are generated for each file using a cryptographically secure random number generator.
Send Files Securely Pro users access their accounts with a username and password. Account passwords are hashed using the PBKDF2 function. This function was chosen over other hashing methods (such as SHA256) since it is more resistant to brute-force attacks.
SSL/TLS is used to encrypt data transmitted between user’s browsers and the application server. All pages force the use of HTTPS.
Randomness
Send Files Securely uses random numbers throughout its application. All random numbers are created using a cryptographically secure random number generator.
SQL Injection Prevention
Injection attacks are considered one of the greatest application security risks. Send Files Securely uses secure coding practices to prevent SQL Injection which includes the use of parameterized queries as well as other validation techniques.
Cross-site Scripting (XSS) Prevention
XSS poses various security risks for websites. Send Files Securely uses secure coding practices to prevent XSS which includes proper encoding techniques.
Other OWASP Top 10 Risks
In addition to SQL Injection and XSS, Send Files Securely addresses many other potential security risks as identified by the OWASP Top 10. By implementing secure coding practices, the application effectively guards against many types of vulnerabilities.
Updates and Patching
Send Files Securely applies software updates and patches as soon as they are available in order to safeguard against known security threats.