Originally published at: Eight Secure Ways to Share Sensitive Information over the Internet - TidBITS
Sometimes, you need to share private information—a password, financial details, a confidential document—over the Internet. Adam Engst looks at eight popular methods of transmitting your secrets securely to others.
1Password can be used to store documents too. Many times, if I cannot use iMessage because the recipient doesn’t have an iPhone, I’ll send put the document into 1Password and share it that way.
You’ll be asked if you want to share it with anyone with the link, or only certain people. Select Certain people and enter their email addresses. Then share the link with them not via email. That email address is the out-of-bounds verification system.
some caution is required with iMessage:
since many of us use the (default?) config of allowing it, if there’s a problem sending via iMessage, to to silently fall back to SMS - thus becoming plaintext. sure; there’s the green color - only after it’s too late.
Thanks for the article, Adam.
What you addressed in the article is extremely important.
I recently had a situation where I explicitly said to someone, “No documents sent via e-mail !”, and still that request/requirement was ignored by the person, who was thinking, “Oh, we do it all the time. It’s no big deal.” But it is a big deal.
I sort of knew this, but it feels odd for a document that you wouldn’t want to keep. Or is there something I’m missing about how you’d use it?
A reader just recommended Wormhole as a service for sharing encrypted documents with time-expiring links. Worth a look, if only for the whizzy graphics!
You can always delete the document after sending it. However, I know very well that there’s a 80% chance that person will ask me to share it again. This is especially true since you can make links time or usage expire.
The great thing about sharing documents with 1Password is that you already have 1Password. You don’t need to look for another service to do a one time send. Neither of you need a new account for some service just for the share. They have a text account and email, you can securely share the documents.
It’s like the saying the best camera is the one you have on you when you need to take the picture.
I wish Apple made secure doc exchange simple through iCloud. Imagine if you could right-click any doc/folder on your Mac and the select from the Share menu something like “Secure Transfer”. That would then let you specify an email address (or several) and a password (obviously suggesting strong passwords right there à la Keychain Access), plus options for expiration, number of views, etc.
This would allow for “the rest of us” to get super simple E2E encrypted transfer with iCloud used for storage/authentication. The recipient(s) gets an email with an iCloud link for download (recipient doesn’t have to have an iCloud account). That webpage then prompts for the password the sender initially chose. Done. Users on the Mac get to change options either in a file/folder’s Get Info window or globally in an iCloud Setting. Done. Make it an iCloud+ feature if necessary. But seems like a no-brainer to me these days.
One non-technical reason Apple hasn’t done this could be that Apple, with its status of an incredibly cash-rich, global company, is a class action suit magnet and does not want to be in a position of guaranteeing the confidentiality of sensitive documents transferred by users.
Is this server-to-server or does it included app-to-server (and server-to-app)? I had assumed that an iCloud mail account using Apple Mail was encrypted from the Mac to the first step in its journey. In particular, I’m wondering about sending (or receiving) email in a hotel using the hotel’s Wi-Fi. Could you devote two or three sentences to this issue? What about other email accounts using Apple Mail? Thanks.
It’s possible for there to be in-transit encryption for email, but it varies by email provider. My guess is that iCloud does provide it based on this chart.
That said, I see a compromised account as the most likely security problem, not someone eavesdropping on traffic in transit. If an attacker takes over the email account of someone to whom you’ve sent confidential information, that information is just a search away from being revealed. And the recipient’s password practices are completely out of your control.
“How secure” is a non-trivial question, related to how sensitive/secret/top secret/eyes-only/incriminating/embarrassing the information is, and who you are and the recipient is. The only absolutely secure secret is one you share with nobody, ever. Most of us are pretty pedestrian people with pretty pedestrian needs (unlike, say, the military and government, or drug dealers). We might want to encrypt something once in a while, but we’re not likely to be monitored by anyone, so all the ways mentioned here probably suffice. But if you’re still worried, snail mail is probably your safest bet.
In a sense, you can do that with iMessage if both sides have iCloud accounts.
The problem maybe that iCloud storage is normally encrypted end-to-end. However, when you share the document, the document is stored unencrypted since more than one account must be able to access the file.
The idea I laid out would allow sharing with anybody, no iCloud or iMessage required. It would be so to say an extra perk for those who have iCloud, in that it gives them a one-click simple way to share a file/folder with anybody in an E2E encrypted manner. All the recipient would need is to receive an email, and a browser for downloading the file/folder. All the sender would need is to buy a Mac (and sign up for iCloud).
It’s worth noting that BitWarden also provides self-destructing, expiring, count-limited encrypted file transfer. I have the Pro version for $10/year (a sweet deal); not sure whether the free version has the capability or not.
I don’t know the level of security but, my lawyer recently had me use Verifyle to send a document to her.
It is a nice web experience on Mac and Safari.
I don’t know if it is free to use or if she pays for it though.
I’ve also shared documents via iCloud and sending the folder link to a person that had the document. But it was a PITA to figure out. My memory is that it used to be easier. Apple complicated it.
Looks like Verifyle is free for basic use.
Yes, this is my preferred way too. You can also use the ‘Notes’ item type to share more freeform formatted info securely. I wrote about this in the original thread:
Whenever I share an item like this, I give it a
shared tag in 1Password so I can easily review previously shared items and delete any that don’t need to be there anymore.
On an iPhone, you click on the Share icon, and select iMessage. Change Send Copy to Collaborate, then select Can Edit and change it to View Only.
I find it easier to create a shared folder and then put in all documents I want to share in there. The next time I have to share something with that person, I can just put the new document in there, and they have it. I’ve done this with my family members and attorney.
The problem is that these documents aren’t end to end encrypted. In theory, someone at Apple can read them.