Show HN: Peer-to-peer secure file transfer using WebRTC (opens in new tab)

(bitf.ly)

239 pointsnlightcho10y ago64 comments

64 comments

40 comments · 14 top-level

helb10y ago· 7 in thread

Similar project: FilePizza – https://file.pizza/

github: https://github.com/kern/filepizza show hn: https://news.ycombinator.com/item?id=9535332

gfody10y ago

http://xkcd949.com/

digi_owl10y ago

Reminds me that i ran into a blog after the referenced comic was publish, that mused about how the trouble of easily sending files between PC online was a conspiracy between the ISPs and the *AAs.

degenerate10y ago

The URL references the ID number of this comic: http://xkcd.com/949/

vacri10y ago

    cat $FILE | nc -l -p 80

1 more reply

bobajeff10y ago

Does anyone know how FilePizza and Bitfly compares to WebTorrent?

eldod10y ago

WebTorrent actually implements the bittorrent protocol, and can be used as a nodejs bittorent client. It extends the bittorent protocol to do p2p sharing inside the browser (but you only can connect to other people using the webtorrent nodejs app or in-browser app, and not all the bittorent network)

FilePizza and Bitfly are much simpler implementations, doing 1-to-1 file transfers in the browser using the basic WebRTC Datachannel API.

Looks like FilePizza is now using WebTorrent too now, as it's mentionned in their FAQ:

"Where are my files sent? Your files never touch our server. Instead, they are sent directly from the uploader's browser to the downloader's browser using WebTorrent and WebRTC. This requires that the uploader leave their browser window open until the transfer is complete."

https://github.com/kern/filepizza

agumonkey10y ago

Happy to see that it works with CyanogenMod Chrome Beta on an old HP TouchPad.

ps: although it says the HTTPS connection is not safe.. weird. pps: lazy me would love a multiple file options ..

CiPHPerCoder10y ago· 4 in thread

From the HN title: "secure"

I have a question: Secure against what thread model?

The FAQ has an entry for "How do I know you're not sending all my data to the NSA?" but that's the wrong question to ask (i.e. Even if you're not behaving maliciously, that doesn't mean our data is safe against highly sophisticated threats).

It would really be great if you could demonstrate what makes this more secure than alternative solutions.

That said, this is kind of neat.

zanny10y ago

Webrtc itself requires perfect forward secrecy. While you cannot do authentication with it - you need to provide that yourself - you can be certain besides yourself and whomever your signaling server told you is your peer are the only two able to decrypt the packets going between you two.

lqdc1310y ago

Doesn't the server know the token id? I didn't inspect the requests, but it's possible to send the token to the server.

Therefore, can't they download the sample just like the connected client?

nlightchoOP10y ago

Thank you for the feedback! I will change the wording of that FAQ question (+ answer) and make it more detailed.

I'm not sure about how I should go about demonstrating what makes this model more secure, except making it more obvious that it doesn't involve storing your data on servers not under your control which is the case with solutions like email and skype.

Rhapso10y ago

A big problem is that webRTC is highly MITM-able. You have to exchange initial connections using a server. So no party has any way of knowing if you are MITM attacking.

You might be able to do something diffie-helman shaped at the javascript level (hard to ensure it actually works) to show a fingerprint of the shared secret that could be confirmed via outside channels.

But all-in-all this does not offer ANY security over a server because there is no way to show it is not just being stored on a server.

4 more replies

shmerl10y ago· 4 in thread

Sorry for off-topic, does anyone know why Google phone calling (Voice / Hangouts) still doesn't work with WebRTC and requires native plugin? And are there any other services for making phone calls which actually work with WebRTC?

TD-Linux10y ago

They use nonstandard APIs, and send data over the network in a way incompatible with WebRTC. This post is a bit old at this point but afaik the situation hasn't changed: https://webrtchacks.com/hangout-analysis-philipp-hancke/

shmerl10y ago

Thanks! What a mess. No wonder it's not working for me - I'm using Firefox. Somehow I doubt Google are interested in fixing this.

discordance10y ago

Appear.in

shmerl10y ago

Can it make calls to real phone numbers, especially between countries? That's essentially what I need. Google provides that, but it works very poorly and requires a native plugin.

For regular Internet to Internet media calls I can use XMPP/Jingle client.

crcastle10y ago· 3 in thread

With some sort of peer discovery functionality, this could be a pretty cool open, cross-platform replacement for Apple's AirDrop.

...but would probably need WebRTC functionality in Safari to work on iOS devices

endergen10y ago

I was thinking this exact use case last in year in some experiments but just got to busy to finish it. I had auto discovery of local computers and a nice name: browserdrop.it.

I had it working too casting a chromecast with a system for displaying various file formats and basically file sharing your phone.

Not enough time in the world to finish every side project. Also once I found out about AirDroid I kind of felt they had my main use case pretty covered. Not quite but close. https://www.airdroid.com/

tjohns10y ago

I mentioned it in another comment upthread, but http://sharedrop.io is exactly this. WebRTC file transfer with LAN peer discovery.

endergen10y ago

Nice! Right, I forgot I had come across that one too. Using firebase was clever too.

malekascha10y ago· 2 in thread

I also made a similar project to this using WebRTC: https://www.mkstream.club/#/

Github: https://github.com/make-sity/mkstream

lucb1e10y ago

Might be just me, but "look I made something similar here is the link" without any more info or mention of how it's relevant sounds a lot like piggybacking off of the success of this thread to promote your own project.

malekascha10y ago

I'm sorry. that wasn't my intent. I just thought that I'd link it for anyone who wants to see another example of a filesharing app made with WebRTC.

1 more reply

tjohns10y ago· 2 in thread

There's also http://sharedrop.io, which was featured on HN a couple years ago and also uses WebRTC.

Source: https://github.com/cowbell/sharedrop Discussion: https://news.ycombinator.com/item?id=7468328

gfody10y ago

fipelines.org is another one (their cert is expired but if you ignore that the site works well)

doomrobo10y ago

Yet another is instant.io

calanya10y ago· 2 in thread

"Secure" but "we advise against using Bitfly for highly sensitive data. You have been warned.".

So is it secure or isn't it?

nlightchoOP10y ago

I trust my browser's developers with my most sensitive data (online banking password, government id etc.) but that does not mean I believe I am fully secure in doing so. There could always be a bug in the WebRTC implementation or the SSL library or the hardware. Maybe I should rephrase the FAQ to read "Don't put your highly sensitive data on the Internet at all".

wodenokoto10y ago

The warning is posted under the headline "How do I know you're not sending my data to the NSA" and in that context, it is a good warning. Don't trust random software with highly sensitive data.

amelius10y ago· 2 in thread

I was wondering if it is possible to transfer streaming video data over WebRTC already, for example to implement a video chat service, without wasting too much CPU power and/or bandwidth?

willsentance10y ago

Icecomm lets you use Webrtc to do this pretty easily (icecomm.io)

amelius10y ago

Interesting. Are they doing image processing / compression in javascript?

StavrosK10y ago

My favorite of these tools is magic womhole (command-line only):

https://github.com/warner/magic-wormhole

It gives you a few words for you to give the recipient, they type them in, and boom, transfer starts.

quartz10y ago

Very cool! We built something similar using flash and RTMFP back in 2010 and actually got into YC W11 with the project (with dreams of building something like airdrop until Apple went and actually built airdrop causing us to pivot into high speed data transport instead).

It's great to see this being implemented using WebRTC now, which was just popping onto the radar back then. I envy you building this without having to write any action script or flex code! Best of luck with the project.

iolothebard10y ago

Awesome, I'm looking to incorporate some of this into a project I'm working on.

n-gauge10y ago

Slightly off topic, but can anyone recommend a webrtc tutorial for data channels or any projects which can be used for player v player over the browser (chrome) . I guess like one player has to be the master and the other players join his/her webrtc connection ?

terrortrain10y ago

Why not just use http://instant.io ?

If you are worried about security, encrypt before sending.

leoh10y ago

Wow. Now implement this with file search and you've basically got something like Napster.

j / k navigate · click thread line to collapse

64 comments

40 comments · 14 top-level

helb10y ago· 7 in thread

Similar project: FilePizza – https://file.pizza/

github: https://github.com/kern/filepizza show hn: https://news.ycombinator.com/item?id=9535332

gfody10y ago

http://xkcd949.com/

digi_owl10y ago

Reminds me that i ran into a blog after the referenced comic was publish, that mused about how the trouble of easily sending files between PC online was a conspiracy between the ISPs and the *AAs.

degenerate10y ago

The URL references the ID number of this comic: http://xkcd.com/949/

vacri10y ago

    cat $FILE | nc -l -p 80

1 more reply

bobajeff10y ago

Does anyone know how FilePizza and Bitfly compares to WebTorrent?

eldod10y ago

FilePizza and Bitfly are much simpler implementations, doing 1-to-1 file transfers in the browser using the basic WebRTC Datachannel API.

Looks like FilePizza is now using WebTorrent too now, as it's mentionned in their FAQ:

https://github.com/kern/filepizza

agumonkey10y ago

Happy to see that it works with CyanogenMod Chrome Beta on an old HP TouchPad.

ps: although it says the HTTPS connection is not safe.. weird. pps: lazy me would love a multiple file options ..

CiPHPerCoder10y ago· 4 in thread

From the HN title: "secure"

I have a question: Secure against what thread model?

It would really be great if you could demonstrate what makes this more secure than alternative solutions.

That said, this is kind of neat.

zanny10y ago

lqdc1310y ago

Doesn't the server know the token id? I didn't inspect the requests, but it's possible to send the token to the server.

Therefore, can't they download the sample just like the connected client?

nlightchoOP10y ago

Thank you for the feedback! I will change the wording of that FAQ question (+ answer) and make it more detailed.

Rhapso10y ago

A big problem is that webRTC is highly MITM-able. You have to exchange initial connections using a server. So no party has any way of knowing if you are MITM attacking.

But all-in-all this does not offer ANY security over a server because there is no way to show it is not just being stored on a server.

4 more replies

shmerl10y ago· 4 in thread

TD-Linux10y ago

shmerl10y ago

Thanks! What a mess. No wonder it's not working for me - I'm using Firefox. Somehow I doubt Google are interested in fixing this.

discordance10y ago

Appear.in

shmerl10y ago

Can it make calls to real phone numbers, especially between countries? That's essentially what I need. Google provides that, but it works very poorly and requires a native plugin.

For regular Internet to Internet media calls I can use XMPP/Jingle client.

crcastle10y ago· 3 in thread

With some sort of peer discovery functionality, this could be a pretty cool open, cross-platform replacement for Apple's AirDrop.

...but would probably need WebRTC functionality in Safari to work on iOS devices

endergen10y ago

I was thinking this exact use case last in year in some experiments but just got to busy to finish it. I had auto discovery of local computers and a nice name: browserdrop.it.

I had it working too casting a chromecast with a system for displaying various file formats and basically file sharing your phone.

Not enough time in the world to finish every side project. Also once I found out about AirDroid I kind of felt they had my main use case pretty covered. Not quite but close. https://www.airdroid.com/

tjohns10y ago

I mentioned it in another comment upthread, but http://sharedrop.io is exactly this. WebRTC file transfer with LAN peer discovery.

endergen10y ago

Nice! Right, I forgot I had come across that one too. Using firebase was clever too.

malekascha10y ago· 2 in thread

I also made a similar project to this using WebRTC: https://www.mkstream.club/#/

Github: https://github.com/make-sity/mkstream

lucb1e10y ago

malekascha10y ago

I'm sorry. that wasn't my intent. I just thought that I'd link it for anyone who wants to see another example of a filesharing app made with WebRTC.

1 more reply

tjohns10y ago· 2 in thread

There's also http://sharedrop.io, which was featured on HN a couple years ago and also uses WebRTC.

Source: https://github.com/cowbell/sharedrop Discussion: https://news.ycombinator.com/item?id=7468328

gfody10y ago

fipelines.org is another one (their cert is expired but if you ignore that the site works well)

doomrobo10y ago

Yet another is instant.io

calanya10y ago· 2 in thread

"Secure" but "we advise against using Bitfly for highly sensitive data. You have been warned.".

So is it secure or isn't it?

nlightchoOP10y ago

wodenokoto10y ago

The warning is posted under the headline "How do I know you're not sending my data to the NSA" and in that context, it is a good warning. Don't trust random software with highly sensitive data.

amelius10y ago· 2 in thread

I was wondering if it is possible to transfer streaming video data over WebRTC already, for example to implement a video chat service, without wasting too much CPU power and/or bandwidth?

willsentance10y ago

Icecomm lets you use Webrtc to do this pretty easily (icecomm.io)

amelius10y ago

Interesting. Are they doing image processing / compression in javascript?

StavrosK10y ago

My favorite of these tools is magic womhole (command-line only):

https://github.com/warner/magic-wormhole

It gives you a few words for you to give the recipient, they type them in, and boom, transfer starts.

quartz10y ago

iolothebard10y ago

Awesome, I'm looking to incorporate some of this into a project I'm working on.

n-gauge10y ago

terrortrain10y ago

Why not just use http://instant.io ?

If you are worried about security, encrypt before sending.

leoh10y ago

Wow. Now implement this with file search and you've basically got something like Napster.

j / k navigate · click thread line to collapse