End-to-end Encryption

End-to-end Encryption
TransferXL

As you may know security and confidentiality of data is an important topic these days. TransferXL takes advantage of a nice feature of the zip format in order to encrypt the contents of the contents of the actual files as they are transferred.

Client-side Encryption

Rather than doing any form of server side encryption, TransferXL provides encryption from within your browser. This means that the contents of the files that you are transferring are already encrypted before they are being sent onto the Internet as part of the upload step.

This means that not just the download step is secure but also the upload step. This is in contrast to encryption by a server running in the cloud. In this case the upload step is (necessarily) unencrypted and the password used for the encryption also needs to be passed back and forth between the client and the server.

Note that the data is still uploaded and downloaded via HTTPS which adds another layer of security.

Why would you use it?

There are many use cases, but here are a few examples:

  • scan of passport, driver’s license, etc. (did you know that if this information falls into the wrong hands you can get into a lot of trouble whereby even it can be necessary to prove that you did not do something?)
  • financial information
  • medical information
  • legal information

How does it work?

If you go to the Encryption option you can enable encryption. By default TransferXL suggest a strong password for you (e.g. ‘8Un3a0ZK+KSUcaCjL5dK’) that you can easily copy to the clipboard. Alternatively you can provide your own password (just click on the ‘x’ or close icon in order to do so). Press the ‘Encrypt Transfer’ button to activate the encryption.

Note that you see a green Lock icon along with the text Encrypted to make you aware that you will be doing an encrypted transfer after closing the options dialog.

After you have added the files the normal way your transfer will be done in an encrypted manner.

Sending of the password

In order for the downloader(s) to decrypt the transfer they will need the password so you have to get the password to them.

It is bad practice to include your password in the message field. If somebody would be monitoring the email of the recipient then they will receive the download link as well as the password in a single email! This obviously defeats the purpose of the encryption. (Also a second email is bad practice since the atacker would have access to this as well.)

Instead you should send the password via some other means than email, here are some suggested methods:

  • SMS or Text message
  • Instant messaging use as Skype or Slack (simply copy and paste)
  • Cloud storage such as Dropbox or Box (simply store in a text file)

Help! I have forgotten my password, can you assist?

We are sorry to say that we cannot help you. The password used for encryption never leaves your browser so our web servers never get to know your password.

What we can suggest is that you do the transfer again while generating a new password.

Supported unzippers for downloading

Unfortunately not all unzippers support the encryption feature of the zip format. Here is a list of recommended unzippers:

Conclusion and Benefits

Using client-side encryption is a good method to secure your transfers and protect them against loss of confidential information. It provides the following benefits:

  • Password used for encryption never leaves your device
  • It is inherently safe
  • It is faster too since there is no separate encryption step

Lastly note that you are no longer able to manage the transfer (other than deleting it completely) and that downloaders can no longer view the contents (list of files) of the transfer. Rather they always need to download it completely and can only views its contents after they have typed in the correct password for decryption.