How We Keep Your Files Safe

When you use MarcoSend, your devices connect using WebRTC - the same technology that powers video calls and real-time communication. WebRTC has many great security features built in, for example, it tries to establish a direct connection between your phone and computer, sending files peer-to-peer without touching our servers.

Sometimes, though, direct connections aren't possible. Your network might have firewalls or NAT configurations that block direct peer-to-peer connections. When that happens, WebRTC uses a TURN relay server as a fallback - essentially a middleman that forwards your data when direct connection fails.

Can the TURN server see your files? Luckily, the designers of WebRTC thought about this too. All data flowing through the WebRTC connection is encrypted with DTLS (Datagram Transport Layer Security). This means whether your files go directly peer-to-peer or through a TURN relay, they're wrapped in a secure, encrypted tunnel from end to end. Even if someone is monitoring the network or running the relay server, they only see encrypted ciphertext - they can't read your files.

Before your devices can start transferring files, they need to set up the connection. This "signaling" happens through our database - your devices exchange connection information like network addresses and encryption parameters.

To prevent unauthorized access, we use a join token. When you scan the QR code, your mobile app receives a single-use token that grants access to join the session. This token:

• Can only be used once - after your device joins, it's immediately invalidated
• Expires after 3 minutes - even if someone sees your QR code, they have a very limited window
• Is stored as a hash in our database - we never store the actual token itself

The join token locks the session down in the database. Only two clients can join (the web client that created the session and the mobile client that scans the QR code). All the signaling metadata - the connection information needed to set up the WebRTC channel - is restricted to these two participants. No other users can read it.

This is where the next layer of security kicks in. The TURN credentials - the keys needed to use the relay server - are encrypted before they're stored in the database. They're encrypted with a session key that only the two devices in your session know.

Even if someone had full read access to the database, they would see encrypted TURN credentials. To use them, they would need to:

• Break into the database and read the encrypted credentials
• Brute force the AES-256-GCM encryption to decrypt them
• Do all of this before any files are even sent (the credentials expire after 1 hour)

Cracking the credentials is computationally infeasible. By the time someone could decrypt them, the session would be long over and the files already transferred.

So even if the database security was somehow bypassed, the TURN credentials remain protected by encryption. Only the two parties who know the session key can decrypt them.

That's a great question. Our solution is that the session key is never transmitted over the internet. It's generated on your device and embedded directly in the QR code. When you scan the QR code with your phone, you're reading it optically. The key never travels through any network connection.

This is called an out-of-band key exchange. The key is communicated through a completely different channel (the QR code you can see) than the one used for file transfer (the internet). Even if someone could intercept all network traffic between your devices, they wouldn't see the session key because it was never there.

To get the session key, an attacker would need physical access to see the QR code - either by looking over your shoulder, taking a photo of your screen, or having access to one of your devices. At that point, they're likely a sophisticated attacker who already has extensive access to your device, and could probably obtain your data through other means anyway.

The session key doesn't just protect the TURN credentials - it also encrypts all your file data. Every chunk of every file is encrypted with AES-256-GCM using this session key before it's sent over the WebRTC data channel.

This means an attacker would need to overcome multiple layers:

If someone has accomplished both of these things, we're dealing with a highly sophisticated attacker who likely already has extensive access to one of your devices anyway. At that point, there are probably easier ways for them to get your data than intercepting a file transfer.