Windows 10 reached EOS (end of support) on October 14, 2025. If you are on Windows 10, see this article.

Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How secure is Thunderbird Filelink really?

  • 2 replies
  • 0 have this problem
  • 72 views
  • Last reply by glocal
  • Open

glocal
glocal

Thunderbird Filelink uses end-to-end encryption and files are only encrypted/decrypted locally but unless the code running on your system is reviewed and validated you don't really know what it does. I would think that every time recipients click on the link and use the web interface to download a file, their browser is sent a script that does the decoding. Similarly, if you use the web interface of a Send instance to send a file, your browser is sent a script for encoding.

If the above is correct, how do we know these scripts are always the open source scripts that have been independently validated? Isn't it conceivable that a Send instance may send you a customized script for encryption/decryption that compromises encryption? This could be done with selected targets to avoid attracting attention too.

Thunderbird Filelink uses end-to-end encryption and files are only encrypted/decrypted locally but unless the code running on your system is reviewed and validated you don't really know what it does. I would think that every time recipients click on the link and use the web interface to download a file, their browser is sent a script that does the decoding. Similarly, if you use the web interface of a Send instance to send a file, your browser is sent a script for encoding. If the above is correct, how do we know these scripts are always the open source scripts that have been independently validated? Isn't it conceivable that a Send instance may send you a customized script for encryption/decryption that compromises encryption? This could be done with selected targets to avoid attracting attention too.

All Replies (2)

Rick
Rick
  • Top 25 Contributor

What leads you to believe that Thunderbird encrypts attachments sent by Filelink?

https://support.mozilla.org/en-US/kb/filelink-large-attachment

glocal
glocal Question owner

Rick said
What leads you to believe that Thunderbird encrypts attachments sent by Filelink? https://support.mozilla.org/en-US/kb/filelink-large-attachment Can the storage service view my attachments? Unless you encrypt the file before uploading, the storage services will be able to view the file, as will anyone who obtains the link to the attachment. Users must decide on their own which service provider they trust with that responsibility. Service providers will generally explain your privacy rights in their terms of service.

I think this has moved here. Thanks.

The kb article says that but most people won't read it. Instead, being able to click 'Add Thunderbird Send' to add the specific Filelink add-on and Thunderbird Pro including it as standard implies endorsement. The provider emphasises the end-to-end encryption and local processing which presumably the add-on does, but to be fair they don't say the method includes zero-knowleldge or privacy by design.

More to the point, my question was really about whether I was right thinking that this method can't be validated as zero-knowledge as long as a party uses a web interface. Even if the sending add-on is inspected, Thunderbird Send and similar services serving a decryption script every time can trivially run arbitrary code on the recipient's machine eg to share a decrypted copy of a file with a third party. In effect, you have to trust the random maintainer of a Send instance in the same way you are asked to trust Microsoft, Google, Dropbox etc. My question is whether I am getting this right. If I am, perhaps Thunderbird should make this prominently clear.

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.