LimeWire (which now has its crypto currency probably) has been on a rampage recently aquiring some of really good tools including ShareDrop and SnapDrop. https://pairdrop.net/ is the last one standing so far.
[1]: https://gist.github.com/SMUsamaShah/fd6e275e44009b72f64d0570...
Unrelated to the wormhole python cli tool and associated file sharing protocol.
Slightly different approach – "P2P first", i.e. both sender and receiver need to be online simultaneously throughout the transfer, but there's a TURN relay, so it should work in almost all network constellations.
...which is freaking awesome torrent software, by the way.
But still, being able to almost immediately stream, even if through VLC, is pretty nice.
Peer-to-peer: https://en.wikipedia.org/wiki/Peer-to-peer
One of many everything-and-the-kitchen-sink features Opera Presto had during its heyday. Others included a separate Bittorrent client, desktop widgets that could be moved outside of the browser window, full IRC client, email client and peerless hotkey actions customization.
By some miracle the browser still managed to be a rather lean binary.
Feels like we had it all internet wise in 2007-2010 and then decided to throw it all away.
I got caught by this as a kid a few times, I was technical enough to know what was going on, and reliant on a screen reader (which Chrome didn't support back then), so it was definitely a memorable annoyance for me, but I guess quite a few people didn't care.
I blogged about it back in the day (15 years ago), https://alicious.com/opera-about-to-change-the-world/.
oh the Presto engine.. shame its not the same opera we used anymore. still has the best ux on phone, unfortunately no other browser come close.
The everything browser made it a difficult experience to understand. Kind of a feature overload in the face of minimalism being practiced by chrome and ie7.
https://file.pizza does this better than most, as the URL consists of real words. But all the words are ingredients in English which comes back to being an issue again.
https://pairdrop.net is my go-to, since it allows creating temporary “rooms” with just five letters, which are easy to share over the phone.
Still, I continue to wait for the holy grail of a P2P service which would allow me to initiate a connection via CLI and get a simple URL to share with someone who could download the file from a web browser, saving me from having to babysit the browser tab. There are services which allow you to upload via CLI and download via web browser, but they host your file so you have to wait for the full upload to finish before sharing the link.
I think it's a 2-out-of-3 trilemma: end-to-end encryption, short codes/URLs, offline/non-interactive workflow: choose two. Or framed differently, if you require proper encryption, then either the code/URL must be long enough to hold the full key, or you must use an interactive (PAKE) protocol which means both agents must be running at the same time (babysitting).
Your last point is an interesting one: we could build a form of magic-wormhole where the sender's CLI waits, the recipient gets a URL, the URL points to a web page which performs the client side of the protocol. The server wouldn't host the file, just the decryption agent. Basically wormhole receive in a browser. That would match many of your goals.
However I'd be hesitant to do this with magic-wormhole because it opens up a vulnerability we don't currently have: the web server hosting that page could silently swap out the JS with a version that retained a copy of the plaintext, perhaps only when the browser is coming from a specific IP. You can't audit a webserver for consistent+correct behavior the way you could with e.g. the contents of a Debian distribution.
That said, the usability gains of the recipient not needing a CLI tool installed might be worth the tradeoff for some folks.
(I'm the author of magic-wormhole)
I don’t care about that most of the time. When I do I’m unlikely to trust some random web service anyway (how do I know the author didn’t turn rogue the day before and decided to send a copy of every file to their own server?).
The service could offer a choice, where picking the short link comes with a big red warning. That could even be hidden under some setting on the page, since it’s the sender who needs to understand the implications.
> the usability gains of the recipient not needing a CLI tool installed might be worth the tradeoff for some folks.
That’s exactly what I’m looking for. Whenever I need one of these services, there is 0% chance the person on the other side would know how (or have the patience) to install a command-line tool.
> I'm the author of magic-wormhole
Thank you for taking the time to expand so thoroughly from experience.
If you trust the server not to MITM you, then you don't need the encryption key in the URL. The URL only needs to be long enough so it cannot be guessed by an attacker, 64 bits should be plenty. Once the peers connect to the common URL, they can generate an arbitrarily large key by performing ECDH through the server. (This is where you assume that the server is not doing MITM.)
Basically type in encoded/crc'd ip address then some code over phone to start session
(none of this requiring someone else's servers/etc)
There are exceptions to this; I've been making copyparty[1], an httpd which lets you start downloading a file that is still being uploaded[2]. If you catch up with the uploader, it'll throttle the speed so the browser doesn't drop the connection. Uploads and downloads can be done through browser and/or cli.
I recall there was at least one other alternative with similar functionality somewhere on the awesome-selfhosted list, but I'm failing to find them right now... It was prominently mentioned in the project's readme, but maybe that's no longer the case.
[1] https://github.com/9001/copyparty
[2] https://a.ocv.me/pub/g/nerd-stuff/cpp/2024-0418-race-the-bea...
Great name!
Unfortunately this seems like it’s something I’d need to host myself, and that’s something I specifically don’t want to do. I only need to share on occasion, and always want to do it with the least hassle possible.
But there's been enough last-minute submissions of DJ material by now that I'm still happy it was added as an option :-)
git clone https://github.com/jech/galene-file-transfer
cd galene-file-transfer
go build
./galene-file-transfer -to john https://galene.org:8443/group/public/somethingdifficulttoguess/ file.tar.gz
https://webwormhole.io does this, see the CLI link at the bottom. Just tested it myself with a small file.
i also obviously maintain the instance on https://webwormhole.io/.
At the very least you should update those instructions if you want people to think otherwise.
> THIS PROJECT IS STILL IN EARLY DEVELOPMENT IT USES EXPERIMENTAL CRYPTOGRAPHIC LIBRARIES AND IT HAS NOT HAD ANY KIND OF SECURITY OR CRYPTOGRAPHY REVIEW THIS SOFTWARE MIGHT BE BROKEN AND UNSAFE
Plus, install instructions are outdated. As soon as I tried them, `go` complained of using a deprecated method.
So everything points to it no longer being under development.
That’s not the bit that matters, it’s the “this project is still in early development” and “this software might be broken”. Those are the things which hint at the project not being done.
It uses mDNS for discovery. You can only do one browser though.
I don’t see a path forward on browser/browser that is obvious. It would make it so easy to fingerprint if you could set your mDNS hostname in JS
It could be done with a browser-owned dialog to select peers instead of exposing all local peers to the web by default. Similar to the web MIDI API or others that expose local devices only with explicit user permission for the specific device.
I once did it by copying messages from textarea's back and forth.
and it has people building alt.clients
https://nicotine-plus.org
https://github.com/slskd/slskd
When I discovered that it now uploads stuff to Limewire I was so annoyed that I had to admit I suggested a harmful tool for sharing private data. So much, that I will never recommend a similar website. Either I'll host it my self or suggest an installed tool through F-droid, if it exists.
I mean, it is entirely my fault. I knew the security risk, but set it aside, because I didn't think some known guy developing an open source tool would in his name try to grab your data.
But WebRTC needs a TURN server for when hole punching/STUN doesn't work when both clients are behind NAT.
Data is never stored in an intermediate server, but it can pass through.
How is the privacy and security ensured that the TURN server won't/can't read your data? Do you just have to trust them? Or is a form of E2EE employed?
I'm surprised this isn't even metioned on the page. Or does this not include TURN servers, and so file transfers just fail between certain peers? (Which it doesn't mention either.)
Hard disagree, I've yet to meet anyone in my country that has gotten any WebRTC service to work at all.
A WebRTC clients behind an iptables based MASQUERADE NAT will not work without TURN. Which both incredibly common and weird that people designing WebRTC and STUN/TURN/ICE never stopped by netfilter developers to make iptables work out of box with WebRTC.
So you know it's secure if you are using turns:// protocol and verified the certificate just like it works with https://
- (1) Each client generates a key pair
- (2) The fingerprint of the public key is part of the SDP message each client generates
- (3) The SDP message is somehow exchanged between the clients, out of band, and the session is started. The client's verify the remote peer using the public key from the SDP message.
The problem is that it's not really feasible in most circumstances to exchange the full SDP message out of band, so instead the service provide some mechanism to map a shorter ID (typically in a URL) to a centrally stored copy of the SDP. I think this might be where it happens for filepizza [0].
This means that a malicious file sharing operator, being in control of both the TURN service and the out-of-band signalling mechanism, could just MITM the DTLS connection and snoop on all the data going by. The peer's think they have each others public keys but they just have two keys owned by the server.
[0]: https://github.com/kern/filepizza/blob/main/src/channel.ts
https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API/...
Regardless, I'll claim that the real disagreement is more over how common symmetric NAT is: I claim it is very rare, and that the vast majority of NAT isn't symmetric... however, in another thread, the user you are responding to claims that "in [their] country" they've never seen WebRTC work at all. I'd wager that's a pretty local issue, with what probably amounts to a local oligopoly built with similar limitations, but if you live in that world it must be brutal. However, that's not WebRTC's problem: we should implement port mapping in clients and ISPs should, to put it as kindly as feels fair, "fix their shit".
There are entire regions of brazil where all residential internet is CGNAT'ed, making any video calls between those users symmetric NAT.
My understanding is that it's not "required", but most of the CGNAT routers I've encountered do symmetric NAT, and they force-randomize the source port for each new connection, then keep it fixed for one external ip:port for some "session" duration, defeating traditional hole-punching.
When I've tried to build WebRTC P2P stuff I've experienced this making direct P2P WebRTC connections between CGNAT users nearly impossible, always requiring at least one node with a re-usable hole-punched public udp port or a relay server.
and also wow I'm honored to get a reply from a childhood hero of mine. I've been a diehard Cydia fan since 2010!
Speaking of which, how is the IPFS project doing these days?
Ha! I do wonder if I'm the only person who has errors where sometimes an AirDrop attempted transmission, from two devices sitting right next to each other, just hangs indefinitely, even if a transmission between the same two devices a minute ago succeeds. Like all Apple solutions that Just Work, it's great when it Just Works, but, when it doesn't, great effort seems to have been taken to make sure that there's no way to find out why not.
It doesn't have to be a dedicated system where you manage how long you seed, port forward, and other technical requirements: torrents already work well when you just seed while downloading because the server can never get overloaded, pretty much no matter how viral something goes. So long as it keeps serving the tiny torrent file, a few blocks on occasion, and the few packets needed to set up a NAT punch between people (STUN/TURN server? I always forget what's what), people can get the file from each other and you don't have huge bandwidth costs or have the site go down once the included bandwidth is exhausted. There's a reason Facebook and Twitter use(d?) this for distributing server updates¹, and I don't think someone remotes onto every server to visit the pirate bay, which torrent technology has sadly become synonymous to and people don't realise it is a transfer protocol just like FTP, HTTP, and other TPs that I'm forgetting
> some public standard that gets implemented on all platforms
What this is based on doesn't matter. It can be http, it can also be torrents. It's not very useful if you're sending files from and to one person almost every time (perhaps at the end of a holiday with friends, more than one person would want everyone's photos, but still), I'm just objecting to torrents being misunderstood as the only thing most people used it for: downloading copyrighted material in dedicated (and often unwieldy) software :)
¹ https://torrentfreak.com/facebook-uses-bittorrent-and-they-l... Article also mentions that a university cut 20 of the 22 update-distributing servers, I didn't know of that example
“Buy your mom an iPhone” and how Apple buried beeper mini into nonexistence was a nice example.
During the brief period that open Airdrop / bluetooth file transfer was a thing, there was a short fad of spamming porn to nearby people on public transport. So that was the end of that.
My recollection is that the end of that was Apple's worry about the protests in China, not any concern about spam on public transit. (The first Google hit: https://restofworld.org/2022/apple-airdrop-china-memes/.)
Or the simple fix of just not having this P2P transfer option always enabled. It should be off until you toggle it on because you and someone you are with want to transfer a file.
I think it'd be great if Apple supported this, even if it meant an Apple AirDrop app for Android. Especially if it meant an Apple AirDrop app for Android.
libtorrent supports something called 'SSL' torrents that require both peers to be signed by the same root.
All the pieces are there to build on top of.
Modern American SUVs are an abomination too. The American auto industry started pushing them because they're legally classified as "light trucks" which lets them take advantage of certain safety and environmental standard loopholes
The problem with bittorrent is ports, just like ipfs. I have to tell somebody to open a port to the outside who may never use bittorrent again.
Opening ports can be obnoxiously hard for someone who doesn't know anything, even if it sometimes just means finding the UPnP checkbox; 90% of the time it involves trying to figure out how to access the UI for their router, and after that trying to figure out what their password could possibly be or how to reset it.
Now, they've got a port sitting open for a piece of software they might never use again, and that's not something I want to be responsible for.
People who often share files should be setting up standing private networks. Group chats/texts can last for years, they should be packaged with an entire range of services that the members can easily provide for themselves (like file sharing and voice/video messaging.) So many companies make their money from centralizing and siloing this.
Biggest mistake ever was not to grow it organically/incrementally while maintaining backwards compatibility!
Recently I had to send file from Whatsapp to Telegram, because apparently it is forbidden to download file from the Whatsapp and it's a "feature". Facepalm....
PS: afaik IPFS doesn't guarantee file storage, a separate paid middleman is required for that.
Most other solutions don't allow pairing of devices across networks.
TFA's "file.pizza" only allows to initiate a session on the device that uploads a file, which makes it tricky to share a file from a mobile device to a laptop (due to tricky QR code scanning with the laptop camera).
PairDrop allows cross network pairing (mobile device can scan QR code from laptop screen), and file uploading from both sides afterwards.
Was just looking for such comment because I knew about wormhole.app is not on top of wormhole protocol itself.
Thanks for your comment , may it help other people.
The reason I like it more is that most torrent clients can run in the background by default so it's not dependant on keeping a browser tab opened
It made it to the frontpage not so long ago but it'd be a pity if you had missed it
It just did nothing.
Then I remembered I have Syncthing running on the machines I was trying to transfer between, so I used that.
In my version, the entrypoint is not uploading your file (where would it go??) but establishing the connection between two devices, then bidirectional transfers between them.
This was my half day covid project to share file... inspired by firefoxsend a while back...
the infra is super lightweight and you can deploy yourself with aws account, it costed me nothing to run and quite useful when needed :)
Also no 3rd party JS, no tracking etc..
I sit behind a keyboard, mouse, monitor, and an incredibly powerful desktop operating system for 99% of the working day. These devices are pretty much the pinnacle of human-computer interaction; arguably the best tools we have for interacting with digital content with speed and efficiency.
But as soon as I want to do something involving my phone, I have to physically reach for it and immediately hamper myself with its limited UI, screen size, and ludicrously locked-down ecosystem limitations.
Smartphones have been around for decades and yet we're still nowhere close to seamless integration with the rest of our devices. The best we've got are clunky half-featured workarounds (Airdroid) or overly-complex techy solutions inaccessible to laypeople (VNC).
As another commenter said, it's all very much intentional. It's a deliberate choice on behalf of greedy phone manufacturers and greedy app developers. And it's really, really frustrating.
Similar issues with Smart Connect from Motorola.
An entirely local solution like KDE Connect is better, if your situation permits it. Unfortunately it has been quite unreliable for me (and I have tried many devices) but it seems to work just fine for others!
Imagine being able to just send a file from an Android phone to an iPhone without a centralized service and an Internet connection (i.e. like we could in the time of feature phones and early smartphones via Bluetooth)...
Please think of the shareholders and the lawful interceptors before you suggest something as subversive!
And would you say that this is comparable in terms of complexity with e.g. Airdrop or selecting "send via Bluetooth" and picking the recipient's device name?
Until last year, your web browser will usually download files. These days, you have to start an HTTP server. Which is actually easier, because FTP is a messy protocol.
> how do you create a network between the two
WiFi Direct has been built into phones for at least a decade.
> And would you say that this is comparable in terms of complexity with e.g. Airdrop or selecting "send via Bluetooth" and picking the recipient's device name?
On the sender side, the "send via" option can appear in the standard sharing app list. On the recipient's side, you may need to scan a QR code to finish the WiFi Direct connection. Starting the download should be as easy as having the sending app pretend to be a WiFi login portal so the phone automatically pops up the web page.
But if you're just sending files offline, there's always Nearby Share or plain old Bluetooth if the files are small enough.
Can, but does it? Defaults matter. And how would the receiver be notified that they should download some file via FTP?
As long as such a feature does not come preinstalled on smartphones, I'll continue considering this lack of previously commonplace functionality an intentional vendor lock-in.
But that presumes phones don't have a method to share files. They have that feature built in. It's called Nearby Share on Android and AirDrop on iOS. Both use some weird pairing mechanism and some form of Wi-Fi Direct to transfer files, but the interface is just a bit more integrated.
When Apple opens up Airdrop or when Google convinces Apple to pre-install Nearby Share, we'll get the universal file transfer we desperately need.
Nobody cares what we do, we know how to use our computers well, and will force them to do what we want them to do in ingenious ways, and we will share those ways with each other. The problem comes when one of us puts that solution into a user-friendly mobile package that can be installed and run with your elbow, and then somebody makes a tiktok about it.
That app is getting nuked. Maybe even the internal API that enabled that app is getting nuked. If it's a standard protocol, it's getting extended and extinguished. The people who made it and the people who host it are getting legal letters.
The fact that Google and Apple could quickly agree on a standard for both cross-platform Covid contact tracing and "stalker warnings" for "Find My" trackers, but not for cross-platform encrypted text messaging or an interoperable AirDrop extension, shows that it's purely a problem of incentives.
FTP? You can open an app on your phone, start an FTP server, use UPnP to poke a hole in the router, show their public IP address, send a text message to your friend with the IP, port, username & password in a single URL, connect, send/receive files.
I also meant things regular people can easily use and that can be used as conveniently as e.g. Apple's AirDrop (which is nice but only works between Apple stuff).
It's part a UI/UX problem and part a missing standards problem. The latter precedes the former.
There are plenty of other tools out there that can send files between devices. Google+Samsung's Nearby Share work pretty much everywhere. KDE Connect works on any device I can think of. I wish Google+Samsung would make it an open standard but I'm guessing they won't do it so they can rewrite the app whenever they please.
The biggest, and IMO only, problem for AirDrop competitors is that they're not pre-installed on iPhones and iPads while AirDrop is. AirDrop is nothing special in itself, though Apple did implement it in a rather weird way. All you need to mimic it is Bluetooth (BLE if you're fancy) for handshakes and WiFi Direct for transfers.
Does obsolete mean deprecated or removed?
It used LiveConnect[0] to talk to the UI-less java applet[1] hosting the web server. It was a weird (and therefore kind of fun!) combination.
Too bad I’ve not yet seen it working without hiccups.
I’m currently testing keet, which is in beta but promising as well. https://keet.io/
Holepunch is about open source tech for P2P apps without servers.
That's great.
My question for you is about the security of the data being transferred. You're using TLS according to your docs and this app transfers directly peer to peer. Is this secure FTP using TLS?
You have two tiers for users - Community and Business. Community is free and donations encouraged. Speeds may be slower to prioritize paying customers and support is more crowd-sourced. Business gets fastest speeds and direct support.
I am not a subscription buyer by choice. I would like to help make this profitable for you. Would you consider offering a paid version for personal use that would give faster speeds, security updates, and bug fixes at a price point between Free and Business? $300/year is way too much for something that would be used as a personal tool to quickly and securely send documents and photos to family members.
I realize that the donation model could function like a one-time payment model since you are likely using it intermittently and sending a small donation for each use so that your annual costs are minimized. In that case you always use the most current version. You "own" that version during the period that you use it and you pay a reasonable donation for use of it.
I also don't see the need to establish an account if this is a p2p service since the data transfers should walk from my device to the destination device. Fill me in on why I need an account.
I would pay for a license to use this with the expectation that the license would provide the current version of the app plus all bug fixes and security fixes for that paid version and that upgrades taking the app to the next full version would be discounted to existing users. I could be a long-term customer.
As an example, I use an antique, unsupported version of SnagIt on my machines. I purchased the license years ago, upgraded through a couple of versions until they got to a point where they dicked up the interface and changed the tool availability and so I ditched the newer version and have continued using the old version which work great. I still get the nag screens to update to the new version but the click to close that dialog is now muscle memory for me.
I appreciate the functionality that this app, blip, provides and would like to be a paying customer and use the app but I'm not interested in a subscription model.
EDIT: I forgot to note a slight error in one of your replies to a FAQ.
Under the "Blip vs Aspera" comparison in the FAQ "Why is Blip easy to use?" there is a fat-finger spelling error.
The sentence reads:
> We want you to set up any use it by yourself!
I believe that it should read:
We want you to set up and use it by yourself!
We set Blip to use email addresses because we wanted to make it convenient for people who are less tech savvy and for business customers who need to quickly find and know who they’re sending files to. If you sign in on another device, all your other devices and recent people are just a click away—so you don’t need to set up or sync that list by yourself.
Blip is a local-first app in the sense that it works with files on your devices, but the interactions are server-driven, letting you negotiate transfers with your devices and other people, no matter where they are. When transferring files, we try to connect devices directly over IP, but when that’s not possible (and it often is not) we relay files over our servers. We use TLS 1.3 to encrypt files in transit. When devices are connected directly, we use mTLS for an even higher level of security. We plan on adding full E2EE in the future.
We care a lot about speed! We don’t throttle transfer speeds when devices are connected directly. Sending files on home Wi-Fi should be as fast as possible, as long as devices can ping each other. Reduced speeds only apply when using our relay network. If demand is high, business customers get priority to ensure their work is delivered on time.
Our business model is still very much evolving. Our main goal was to structure it in a way where people who benefit from Blip commercially should be supporting it the most. We considered a licensing model, but Blip relies on infrastructure maintenance and continuous development, so we need everyone on the latest and most secure version. We decided to make a clear distinction between community and business users, because we learned there’s more demand for speed at work. Of course, if community users start experiencing slow speeds (in practice, this hasn’t been the case), we’d love too bring this to personal users to. One way is for one-time donations to provide high-speed data boosts. Since personal users don’t require extra support and business features, pricing can be more affordable.
All that said, it’s so good to know that speed matters! Our goal has always been to make Blip the fastest way to send files.
Thanks again for the feedback, and for the heads-up on the typo—already fixed! :)
I have a couple of Win7 workstations that could use something like this.
That said, feel free to give it a try on newer devices. If you need any help, just shoot us an email.
> Transfers are now directly from the uploader to the downloader's browser (WebRTC without WebTorrent) with faster handshakes.
Maybe I'm wrong, but there is a signaling server in the middle somewhere along the chain here no ? unless it's just the same as PeerJS in which you first need the clients ID, but connection can be flaky.
From the source I can see it's using PeerJS but react is throwing me off a little bit. It's not clear to me what `useContext(WebRTCContext)` is..
It was later sold to another company, which scrapped the P2P part and repurposed it for regular cloud sharing. :(
The downloader connects, status becomes Ready, then nothing happens.
Tried on both Firefox and Chromium.
in my time, we used to know each other's IP addresses and just used netcat
This method eliminated potentially adversarial middlemen in transit who might, if you chose to pass it through multiple players (servers if you will) - read it in transit though the message was not intended for them, and then use the contents against you later.
It had the disadvantage that one needed to insure that the sender and recipient were in sync in case the aim was off and the message bounced to an unintended recipient.
I once had the misfortune of sending a tightly folded, secure message that was part of a war game being played during English class, and having that poorly aimed message hit the largest mass of muscle in the class right squarely in the ear because the recipient was busy gloating over the success of their previous move and wasn't able to secure the reply in transit.
We all heard the light snapping sound of the rubber band followed by an uncharacteristically loud profanity from the unintended recipient, my own barely stifled gasp of horror, lots of giggles and laughter from the audience, and as they turned - the beginning of the next round of the Inquisition by the adversarial instructor who mistakenly thought we were all watching the English lesson on the board in real time instead of conducting paper war games in the background.
Fun times.
Sneakernet!
homepage is an upload interface..
Horrible name dude
(Cheese) Pizza is slang for CSAM.
https://www.urbandictionary.com/define.php?term=Cheese%20piz...
Hopefully this isn't a "they knew what they were doing" situation
I wish I was joking.