Initially posted to Reddit 8 months ago: https://old.reddit.com/r/privacy/comments/cplfri/firefox_send_uses_googles_servers/

Firefox Send uploads files to prod.send.prod.cloudops.mozgcp.net, which resolves to 35.186.224.242, whose primary domain is 242.224.186.35.bc.googleusercontent.com (the “gcp” in Mozilla’s domain is also a dead giveaway since it stands for Google Cloud Platform). So Firefox Send is hosted on Google’s cloud servers.

My question is: why? Many people who use Firefox’s products have some degree of distrust toward Google, and just by using their servers, serious doubt is cast on the promise that expired files are truly permanently deleted. Maybe it’s deleted in Mozilla’s application, maybe it really is deleted from the hardware, but nothing is stopping Google from keeping backups because it’s their physical server, and we have no way of proving that it isn’t happening. This also makes me wonder if Firefox Sync and their password manager is also hosted on Google.

Even if the data is encrypted, depending on how long it’s kept and what kind of encryption it’s using (namely if it’s asymmetric or weak symmetric), it may be vulnerable to being broken by quantum computing, which Google has a vested interest in [apparently Firefox Send uses AES-128 which is in theory vulernable to quantum computing but at the moment is probably unfeasable even with a general purpose quantum computer], or more simply, if there are any flaws in Mozilla’s crypto implementation or their keys leak, it can be decrypted that way.

I just wanted to bring attention to that, and also ask why Mozilla has decided to go this route instead of using physical colocated servers or even using a cloud provider that isn’t a known enemy of privacy like Google or Amazon. Startpage uses physical servers [Note: I initially wrote this before Startpage was acquired by System1 and therefore became a lot more untrustworthy.], and I assume they are on a much tighter budget than Mozilla.