Note that it's less clear how secure croc is. Magic Wormhole would be the reference there, I think. I have seen issues on the croc repository regarding security, not sure what the state is today.
Granted croc supports resuming transfers, which magic wormhole doesn't.
coc is also available on android which maked it really useful. Although kde connect works very well at least for smallish files, it requires pairing devices you might not want to pair permanently.
This project made me learn about and attempt to implement the SPAKE2 protocol and HKDF as an exercise.
It's quite fascinating. It lets you upgrade a short password to a long key, but requires trusting a server to rate limit attempts on brute-forcing that short password. It seems difficult to find a practical use case for it tho. Because it's only relevant when it is impractical to send a long key. But if you think for a second, lets say you are transferring from a desktop to a phone, you can show a QR code and scan in with your phones camera, thus achieving a secure handshake bypassing the need for SPAKE2 all together. Maybe it would defeat the simplicity of the tool, but if it also provided a long string of words for the key, a user could optionally send all the words instead of just the first few and get themselves a secure key without needing to trust the server.
That's all nice and dandy, but what about sending data the other way, from a phone to a desktop? Meticulously typing in long strings of text with no mistakes is not really a practical solution for the vast majority of users.
You can still generate the QR code in the desktop and scan it with your phone camera. The device receiving the file does not have to be the device that scans the code.
Maybe if your camera is broken? Or you are using one of those phones built without a camera (like the ones issued to people who work at secure government sites)?
My friend and former colleague has built a bunch of stuff over magic-wormhole like fowl[0], shwim[1] and so on. There is a lot of nice work on "dilated" wormhole.
And its lesser known component, the mailbox server used for signaling to connect the two computers. If you’ve ever installed and used magic wormhole, you’ve likely used the default public mailbox server unless you configured and set up your own.
I use this all the time when trying to get files between devices that need multiple hops to get to. Way easier then remembering what scp or rsync combo I need to jump through a host
> Because of firewall network address translation (NAT) issues, rendezvous protocols generally require that there be at least one unblocked and un-NATed server that lets the peers locate each other and initiate concurrent packets at each other.
So probably cant help with a VPC unless you pierce a hole for it.
I guess this makes sense, since by design this shouldn't be possible.
The point of the intermediate server is so that you can NAT hole punch, otherwise it has little point (except maybe as a relay, which is a bad solution).
I’ve used this and localsend, both are great, but has anyone finally solved the problem of making one of these things that can use a GUI (for phones and tablets) and also a CLI (for when I’m SSHed into my home computer and need to send a video to get processed by something)?
I need iOS and iPadOS. Although ideally there’d be a GUI that could work on all of the “mainstream” OSes, since most of my problem here is that I frequently need to move files between devices in different walled or unwalled gardens.
For desktop PCs, Rymdport (formerly wormhole-gui) may be suitable. It's cross-platform with pre-built binaries for FreeBSD, Linux, macOS and Windows on x86-64 and arm64:
I did use it some time ago, but I remember the user experience being somewhat confusing, since there are multiple similarly named tools around, which don't seem to be interoperable. Still, a cool concept.
A simple encrypted channel for file transfer. A great way to send a file to a stranger who is near you but shares nothing with you, e.g. at a conference.
/* A modern version should, of course, work in a browser, so that there'd be no Python packages to install. But the browser security model does not allow listening, so a signaling server would be needed to create a WebRTC connection. It could run on one of the devices involved, but still can't be a pure web app. */
> A modern version should, of course, work in a browser, so that there'd be no Python packages to install
Now, only uv needs to be installed (two self-contained binaries). Then you can do `uvx magic-wormhole --help` and it will quickly create a transient environment with the required packages. You don't even need to install Python (uv will do a transient install of Python as well).
They don't have to be near you, they can be over the internet. Relatedly, the Magic Wormhole CLI also depends on a signaling server (referred to in the documentation as the "mailbox"), so I don't think it's doing anything you couldn't do with WebRTC.
"Near you" physically only matters in coordination, not the network. I can beside someone and it will still go towers and space before we establish a connection.
I prefer https://localsend.org/ nowadays. Nice cross-platform GUI, "just works". Requires being on the same lan, but discovery of other devices is automatic and there are no alphanumeric codes that have to be shared. It's a good QoL improvement to have "airdrop" between Android and Linux
I've had better luck with https://drop.lol/ - it allows local discovery but can also share a link (drop.lol/XXXXX) to invite a device to the "network". There have been a number of times/networks local peer discovery doesn't work for me, but maybe that's because I haven't installed the localsend app.
I use this very specifically for setting up new machines. It's one of those where I don't use it much, but when I do it has saved me a whole lot of time, and it's worked well every time.
You need to be sure to use a sufficiently strong password/passphrase for PGP symmetric encryption. For GPG I would use at least 4 diceware words. The thing being discussed here only requires a digit and 2 words due to the use of a PAKE.
It would be nice if things like GPG would generate an appropriate passphrase for you by default.
I guess if you are only going to send one file the difference is not really all that significant. Otherwise the experience after exchanging email addresses and fingerprints would probably be better with encrypted email.
I’m glad to see that there are mobile apps and web applications that work on/use Magic Wormhole for peer to peer file transfers. The mobile app and web applications seem to be limited (number of files is one at a time, size of file allowed, etc.) due to limitations on mobile platforms and due to choices by the developer/server host.
I use magic wormhole when I first install a computer to send an SSH key. At that point, I have ssh. Also if you use a mesh VPN, your devices are already connected and there are several ways to transfer files.
I like to use it more. What is your use case for this?
If you’re launching machines from a prebaked image or template, it may not be possible to inject/generate something unique for each one, or doing so is finicky to the point that using something like wormhole may be simpler than fighting with your provisioning tool.
Folks at Coder authored a p2p file transfer tool using Tailscale (no account needed, the setup is entirely ephemeral, and the code apparently runs a Headscale control server in-memory): https://github.com/coder/wush
Unsure how Tailscale rate limits, if at all, such traffic flowing through its public relays ("DERP"), as a tool like this is just ripe for abuse?
croc[1] has worked better for me. It supports resuming transfers, which is a must. It is very wormhole like and written in Go.
[1] https://github.com/schollz/croc
Note that it's less clear how secure croc is. Magic Wormhole would be the reference there, I think. I have seen issues on the croc repository regarding security, not sure what the state is today.
Granted croc supports resuming transfers, which magic wormhole doesn't.
coc is also available on android which maked it really useful. Although kde connect works very well at least for smallish files, it requires pairing devices you might not want to pair permanently.
Isn't there an Android app supporting magic wormhole?
croc's throughput was also a lot better for me. I think this is due to them using multiplexed TCP streams.
This project made me learn about and attempt to implement the SPAKE2 protocol and HKDF as an exercise. It's quite fascinating. It lets you upgrade a short password to a long key, but requires trusting a server to rate limit attempts on brute-forcing that short password. It seems difficult to find a practical use case for it tho. Because it's only relevant when it is impractical to send a long key. But if you think for a second, lets say you are transferring from a desktop to a phone, you can show a QR code and scan in with your phones camera, thus achieving a secure handshake bypassing the need for SPAKE2 all together. Maybe it would defeat the simplicity of the tool, but if it also provided a long string of words for the key, a user could optionally send all the words instead of just the first few and get themselves a secure key without needing to trust the server.
That's all nice and dandy, but what about sending data the other way, from a phone to a desktop? Meticulously typing in long strings of text with no mistakes is not really a practical solution for the vast majority of users.
The moderately technical solution is a single-file webserver on the computer that supports file uploads, like https://github.com/sigoden/dufs.
Once it is running all you need to type on the phone is the IP:port.
QR codes?
Not all desktops have cameras.
The vast majority of desktops do not have a camera.
You can still generate the QR code in the desktop and scan it with your phone camera. The device receiving the file does not have to be the device that scans the code.
I was reading about MW yesterday and had the same question about the short password. Here's a doc I found about it: https://magic-wormhole.readthedocs.io/en/latest/attacks.html...
Maybe if your camera is broken? Or you are using one of those phones built without a camera (like the ones issued to people who work at secure government sites)?
My friend and former colleague has built a bunch of stuff over magic-wormhole like fowl[0], shwim[1] and so on. There is a lot of nice work on "dilated" wormhole.
[0] <https://github.com/meejah/fowl>
[1] <https://github.com/meejah/shwim>
https://gist.github.com/SMUsamaShah/fd6e275e44009b72f64d0570... List of p2p file sharing tools including this one. Most in the list are browser based.
And its lesser known component, the mailbox server used for signaling to connect the two computers. If you’ve ever installed and used magic wormhole, you’ve likely used the default public mailbox server unless you configured and set up your own.
https://github.com/magic-wormhole/magic-wormhole-mailbox-ser...
I usually use the Debian one and never had problems.
I use this all the time when trying to get files between devices that need multiple hops to get to. Way easier then remembering what scp or rsync combo I need to jump through a host
Hmm how does this negotiate the hops or does it assume internet access? E.g. what if the last hop is inside a VPC.
It uses a rendezvous server to handle connecting.
Googled.
> Because of firewall network address translation (NAT) issues, rendezvous protocols generally require that there be at least one unblocked and un-NATed server that lets the peers locate each other and initiate concurrent packets at each other.
So probably cant help with a VPC unless you pierce a hole for it.
I guess this makes sense, since by design this shouldn't be possible.
Well it allows you to customize the rendezvous server, so if you're on a network with no internet access you can host the server there.
The point of the intermediate server is so that you can NAT hole punch, otherwise it has little point (except maybe as a relay, which is a bad solution).
I’ve used this and localsend, both are great, but has anyone finally solved the problem of making one of these things that can use a GUI (for phones and tablets) and also a CLI (for when I’m SSHed into my home computer and need to send a video to get processed by something)?
Wormhole William is available for Android devices:
https://play.google.com/store/apps/details?id=io.sanford.wor...
I need iOS and iPadOS. Although ideally there’d be a GUI that could work on all of the “mainstream” OSes, since most of my problem here is that I frequently need to move files between devices in different walled or unwalled gardens.
For desktop PCs, Rymdport (formerly wormhole-gui) may be suitable. It's cross-platform with pre-built binaries for FreeBSD, Linux, macOS and Windows on x86-64 and arm64:
https://github.com/Jacalz/rymdport
I did use it some time ago, but I remember the user experience being somewhat confusing, since there are multiple similarly named tools around, which don't seem to be interoperable. Still, a cool concept.
Recently learnt about tailscale funnel, and I love it, I would use for everything.
tailscale funnel --set-path <secret> <DIRECTORY>
(The path is needed because there are lots of bots who scan tailscale hostnames).
This works if the sender is tech savvy (and a tailscale user) but not in the other direction.
A simple encrypted channel for file transfer. A great way to send a file to a stranger who is near you but shares nothing with you, e.g. at a conference.
/* A modern version should, of course, work in a browser, so that there'd be no Python packages to install. But the browser security model does not allow listening, so a signaling server would be needed to create a WebRTC connection. It could run on one of the devices involved, but still can't be a pure web app. */
> A modern version should, of course, work in a browser, so that there'd be no Python packages to install
Now, only uv needs to be installed (two self-contained binaries). Then you can do `uvx magic-wormhole --help` and it will quickly create a transient environment with the required packages. You don't even need to install Python (uv will do a transient install of Python as well).
They don't have to be near you, they can be over the internet. Relatedly, the Magic Wormhole CLI also depends on a signaling server (referred to in the documentation as the "mailbox"), so I don't think it's doing anything you couldn't do with WebRTC.
"Near you" physically only matters in coordination, not the network. I can beside someone and it will still go towers and space before we establish a connection.
I prefer https://localsend.org/ nowadays. Nice cross-platform GUI, "just works". Requires being on the same lan, but discovery of other devices is automatic and there are no alphanumeric codes that have to be shared. It's a good QoL improvement to have "airdrop" between Android and Linux
The main reason one would use Magic Wormhole is that the devices do not need to be on the same LAN...
I've had better luck with https://drop.lol/ - it allows local discovery but can also share a link (drop.lol/XXXXX) to invite a device to the "network". There have been a number of times/networks local peer discovery doesn't work for me, but maybe that's because I haven't installed the localsend app.
I use this very specifically for setting up new machines. It's one of those where I don't use it much, but when I do it has saved me a whole lot of time, and it's worked well every time.
>Copying files through encrypted email requires bootstrapping a GPG key as well as an email address.
Do people realize that GPG supports symmetric encryption?
You need to be sure to use a sufficiently strong password/passphrase for PGP symmetric encryption. For GPG I would use at least 4 diceware words. The thing being discussed here only requires a digit and 2 words due to the use of a PAKE.
It would be nice if things like GPG would generate an appropriate passphrase for you by default.
I guess if you are only going to send one file the difference is not really all that significant. Otherwise the experience after exchanging email addresses and fingerprints would probably be better with encrypted email.
Don't want to crash my friend's server, but he made a Mac app with this: https://www.viawormhole.xyz/
AFAIK, Web Wormhole is the only one of those tools that can be used both as a command-line tool and from a browser. It looks like the site is down at the moment though. https://github.com/saljam/webwormhole https://webwormhole.io/
Their TURN and STUN servers are down too.
The website doesn’t work on my phone.
I’m glad to see that there are mobile apps and web applications that work on/use Magic Wormhole for peer to peer file transfers. The mobile app and web applications seem to be limited (number of files is one at a time, size of file allowed, etc.) due to limitations on mobile platforms and due to choices by the developer/server host.
I use magic wormhole when I first install a computer to send an SSH key. At that point, I have ssh. Also if you use a mesh VPN, your devices are already connected and there are several ways to transfer files.
I like to use it more. What is your use case for this?
BTW, I haven’t found a good iOS app.
I think you should create a new ssh key for every computer so you only have to share the public key .
If you’re launching machines from a prebaked image or template, it may not be possible to inject/generate something unique for each one, or doing so is finicky to the point that using something like wormhole may be simpler than fighting with your provisioning tool.
Folks at Coder authored a p2p file transfer tool using Tailscale (no account needed, the setup is entirely ephemeral, and the code apparently runs a Headscale control server in-memory): https://github.com/coder/wush
Unsure how Tailscale rate limits, if at all, such traffic flowing through its public relays ("DERP"), as a tool like this is just ripe for abuse?
Great tool.
Very minor web page issue report: please add a replay to the video. Thanks.
I use it all the time. this tool is so great
Another cool solution: Copyparty – Turn almost any device into a file server https://news.ycombinator.com/item?id=44711519
Another simple solution works on LAN https://pairdrop.net/
It just works.
I use Piknik: https://github.com/jedisct1/piknik